WordPress Calls To Action 2.4.3 Cross Site Scripting Vulnerability

Product: Calls to Action WordPress plugin
Vendor: InboundNow
Vulnerable Version(s): 2.4.3 and probably prior
Tested Version: 2.4.3
Advisory Publication:  October 7, 2015  [without technical details]
Vendor Notification: October 7, 2015 
Vendor Patch: October 27, 2015 
Public Disclosure: November 4, 2015 
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2015-8350
Risk Level: Medium 
CVSSv3 Base Score: 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered two Cross-Site Scripting (XSS) vulnerabilities in a popular WordPress plugin Calls to Action. A remote attacker might be able to steal user's and administrator’s cookies, credentials and browser history, modify web page content to perform phishing attacks, or even to perform drive-by-download attacks by injecting malware into website pages when the victim follows a specially crafted link with XSS exploit.


1) Two Reflected XSS Vulnerabilities in Calls to Action WordPress plugin: CVE-2015-8350

1.1 Input passed via the "open-tab" HTTP GET parameter is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

A simple XSS exploit below will display JavaScript popup with "ImmuniWeb" word, when the logged-in administrators follows the malicious link:

http://[host]/wp-admin/edit.php?post_type=wp-call-to-action&page=wp_cta_global_settings&open-tab=%27%3E%3Cscript%3Ealert%28ImmuniWeb%29%3B%3C%2Fscript%3E


1.2 Input passed via the "wp-cta-variation-id" HTTP GET parameter is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

A simple XSS exploit below will display JavaScript popup with "ImmuniWeb" word, when the victim follows the malicious link:

http://[host]/cta/ab-testing-call-to-action-example/?wp-cta-variation-id=%27%22%3E%3Cscript%3Ealert%28ImmuniWeb%29;%3C/script%3E

-----------------------------------------------------------------------------------------------

Solution:

Update to Calls to Action 2.5.1

More Information:
https://github.com/inboundnow/cta/issues/137
https://wordpress.org/plugins/cta/changelog/

#  0day.today [2018-02-20]  #