Two Reflected XSS Vulnerabilities in Easing Slider WordPress Plugin

2015-01-21T00:00:00
ID HTB23249
Type htbridge
Reporter High-Tech Bridge
Modified 2015-01-28T00:00:00

Description

High-Tech Bridge Security Research Lab discovered two XSS vulnerabilities in Easing Slider WordPress plugin, which can be exploited against administrators of WordPress (with the vulnerable plugin) to perform Cross-Site Scripting attacks.

Successful exploitation of the vulnerabilities may allow an attacker to steal administrator’s cookies and gain complete control over the website.

1) Two Reflected XSS Vulnerabilities in Easing Slider WordPress Plugin: CVE-2015-1436

1.1 The vulnerability exists due to insufficient sanitization of input data passed via the "edit" HTTP GET parameter to "/wp-admin/admin.php" script when "page" is set to "easingslider_manage_customizations". A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

PoC code below uses JS "alert()" function to display "ImmuniWeb" popup:

http://[host]/wp-admin/admin.php?page=easingslider_manage_customizations&edi t=%22%3E%3Cscript%3Ealert%28/ImmuniWeb/%29;%3C/script%3E

1.2 The vulnerability exists due to insufficient sanitization of input data passed via the "edit" HTTP GET parameter to "/wp-admin/admin.php" script when "page" is set to "easingslider_edit_sliders". A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

PoC code below uses JS "alert()" function to display "ImmuniWeb" popup:

http://[host]/wp-admin/admin.php?page=easingslider_edit_sliders&edit=%27%22% 3E%3Cscript%3Ealert%28/ImmuniWeb/%29;%3C/script%3E