Lucene search

K

WordPress Media File Renamer 1.7.0 Cross Site Scripting

πŸ—“οΈΒ 25 Feb 2014Β 00:00:00Reported byΒ Larry W. CashdollarTypeΒ 
packetstorm
Β packetstorm
πŸ”—Β packetstormsecurity.comπŸ‘Β 27Β Views

Persistent XSS in Media File Renamer plugin v1.7.0 for WordPres

Show more
Related
Code
`Title: Persistent XSS in Media File Renamer V1.7.0 wordpress plugin  
Date: 1/31/2014  
Author: Larry W. Cashdollar, @_larry0  
Vendor: Notified 2/4/2014  
CVE: 2014-2040   
Download: http://www.meow.fr/media-file-renamer/  
  
Vulnerability:  
The following functions do not sanitize input before being echoed out:   
In file mfrh_class.settings-api.php:  
166 function callback_multicheck( $args ) {  
167 $value = $this->get_option( $args['id'], $args['section'], $args['std'] );  
168   
169 $html = '';  
170 foreach ( $args['options'] as $key => $label ) {  
171 $checked = isset( $value[$key] ) ? $value[$key] : '0';  
172 $html .= sprintf( '  
', $args['section'], $a rgs['id'], $key, checked( $checked, $key, false ) );  
173 $html .= sprintf( '  
%3$s  
', $args['section'], $args['id'], $label, $key );  
174 }   
175 $html .= sprintf( '  
%s', $args['desc'] );  
176   
177 echo $html;  
178 }   
  
  
function callback_radio( $args ) {  
186   
187 $value = $this->get_option( $args['id'], $args['section'], $args['std'] );  
188   
189 $html = '';  
190 foreach ( $args['options'] as $key => $label ) {  
191 $html .= sprintf( '  
', $args['section'], $args['id'], $ key, checked( $value, $key, false ) );  
192 $html .= sprintf( '  
%3$s  
', $args['section'], $args['id'], $label, $key );  
193 }   
194 $html .= sprintf( '  
%s', $args['desc'] );  
195   
196 echo $html;  
197 }  
  
  
function callback_wysiwyg( $args ) {  
250   
251 $value = wpautop( $this->get_option( $args['id'], $args['section'], $args['std'] ) );  
252 $size = isset( $args['size'] ) && !is_null( $args['size'] ) ? $args['size'] : '500px';  
253   
254 echo '  
  
';  
255   
256 wp_editor( $value, $args['section'] . '[' . $args['id'] . ']', array( 'teeny' => true, 'textarea_rows' => 10 ) );  
257   
258 echo '  
  
';  
259   
260 echo sprintf( '  
  
%s  
', $args['desc'] );  
261 }  
  
  
PoC: If a user with permission to add media or edit media uploads a file with "<script>alert(1)</script>" as the title they can XSS the site admin user.   
  
Full Advisory: http://www.vapid.dhs.org/advisories/wordpress/plugins/MediaFileRenamer-1.7.0/index.html  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactΒ us for a demo andΒ discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo