Advanced Custom Fields Auth XSS Vulnerability

Note:
I am looking for a job in information security domain. Any lead or link is highly appreciable.

## FULL DISCLOSURE

#Product : Advanced Custom Fields
#Exploit Author : Rahul Pratap Singh
#Version : 4.4.7
#Home page Link :https://wordpress.org/plugins/advanced-custom-fields/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 1/5/2016

Authenticated XSS Vulnerability:

—————————————-
Description:
—————————————-
“type, label, name and field” parameters are not sanitized that leads to XSS.

—————————————-
Vulnerable Code:
—————————————-

File Name: testfiles/advanced-custom-fields/core/views/meta_box_fields.php

Found at line:97

<div class=”field field_type-<?php echo $field[‘type’]; ?> field_key-<?php echo $field[‘key’]; ?>” data-type=”<?php echo $field[‘type’]; ?>” data-id=”<?php echo $field[‘key’]; ?>”>

Found at line:105

<a class=”acf_edit_field row-title” title=”<?php _e(“Edit this Field”,’acf’); ?>” href=”javascript:;”><?php echo $field[‘label’]; ?></a>

Found at line:113

<td class=”field_name”><?php echo $field[‘name’]; ?></td>

Found at line:251

<input class=”conditional-logic-field” type=”hidden” name=”fields[<?php echo $field[‘key’]; ?>][conditional_logic][rules][<?php echo $rule_i; ?>][field]” value=”<?php echo $rule[‘field’]; ?>” />

—————————————-
POC:
—————————————-
advanced-custom-fields-xss1

Fix:
No Fix

Vulnerability Disclosure Timeline:
→ April 24, 2016  – Contact to Vendor via support
→ April 24, 2016  – Vendor Response
→ April 27, 2016  – Bug Report Sent
→ April 27, 2016  – Vendor Response, asked for more info
→ April 28, 2016  – More info sent
→ April 29, 2016  – No fix. To do list for version 5.0

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s