Lucene search

K
wpexploitRobert SætherWPEX-ID:070648AA-9928-425D-A189-9AE3481F3875
HistoryMay 06, 2016 - 12:00 a.m.

safe-editor <= 1.1 - Unauthenticated CSS/JS-injection

2016-05-0600:00:00
Robert Sæther
6

0.001 Low

EPSS

Percentile

40.6%

When saving JS/CSS in this plugin then both private and public ajax-hooks are being used. Because of this anyone can post JS/CSS that are saved to the db and printed to the head and footer portion of the page.

In the file "index.php" (in root folder) on line 188 and 189 you can see that both private and public ajax-hooks are called and is referencing to the function "se_save".
This function does not do any authentication check or string sanitizing. Therefore you can inject whatever you want where the "wp_footer" and "wp_head" is called. With the use of for example cUrl or the chromeapp Postman this can be exploited with ease.

Example:
URL: http://www.site.com/wp-admin/admin-ajax.php

(Postdata displayed in JSON)

# JS injection
{
  type: 'js',
  data: 'alert("Hello world!");',
  action: 'se_save'
}

# CSS injection
{
  type: 'css',
  data: 'body { display: none !important; }',
  action: 'se_save'
}

0.001 Low

EPSS

Percentile

40.6%

Related for WPEX-ID:070648AA-9928-425D-A189-9AE3481F3875