Two Reflected XSS Vulnerabilities in Calls to Action WordPress plugin

High-Tech Bridge Security Research Lab discovered two Cross-Site Scripting (XSS) vulnerabilities in a popular WordPress plugin Calls to Action. A remote attacker might be able to steal user’s and administrator’s cookies, credentials and browser history, modify web page content to perform phishing attacks, or even to perform drive-by-download attacks by injecting malware into website pages when the victim follows a specially crafted link with XSS exploit.

1. Two Reflected XSS Vulnerabilities in Calls to Action WordPress plugin: CVE-2015-8350

1.1 Input passed via the “open-tab” HTTP GET parameter is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

A simple XSS exploit below will display JavaScript popup with “ImmuniWeb” word, when the logged-in administrators follows the malicious link:

http://[host]/wp-admin/edit.php?post_type=wp-call-to-action&page=wp_cta_glob al_settings&open-tab=%27%3E%3Cscript%3Ealert%28ImmuniWeb%29%3B%3C%2Fscript%3 E

1.2 Input passed via the “wp-cta-variation-id” HTTP GET parameter is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

A simple XSS exploit below will display JavaScript popup with “ImmuniWeb” word, when the victim follows the malicious link:

http://[host]/cta/ab-testing-call-to-action-example/?wp-cta-variation-id=%27 %22%3E%3Cscript%3Ealert%28ImmuniWeb%29;%3C/script%3E