Cross-site Scripting (XSS) Vulnerabilities in eShop for Wordpress

2011-07-20T00:00:00
ID HTB23034
Type htbridge
Reporter High-Tech Bridge
Modified 2011-07-20T00:00:00

Description

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in eShop for Wordpress which could be exploited to perform cross-site scripting attacks.

1) Cross-site scripting (XSS) vulnerabilities in eShop for Wordpress
1.1 The vulnerability exists due to input sanitation error in the "eshoptemplate" parameter in wp-admin/admin.php (when "page" is set to "eshop-templates.php"). A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in users browser in context of the vulnerable website. Successful exploitation requires that victim is logged-in into the application and has access to administrative interface. Exploitation example: http://[host]/wp-admin/admin.php?page=eshop-templates.php&eshoptemplate=%22% 3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E 1.2 The vulnerability exists due to input sanitation error in the "action" parameter in wp-admin/admin.php (when "page" is set to "eshop-orders.php"). A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in users browser in context of the vulnerable website. Successful exploitation requires that victim is logged-in into the application and has access to administrative interface.
Exploitation example:
http://[host]/wp-admin/admin.php?page=eshop-orders.php&view=1&action=%22%3E% 3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
1.3 The vulnerability exists due to input sanitation error in the "viewemail" parameter in wp-admin/admin.php (when "page" is set to "eshop-orders.php"). A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website. Successful exploitation requires that victim is logged-in into the application and has access to administrative interface.
Exploitation example:
http://[host]/wp-admin/admin.php?page=eshop-orders.php&viewemail=%22%3E%3Csc ript%3Ealert%28document.cookie%29;%3C/script%3E