Home / os / solaris

Easy Testimonials WordPress Plugin Stored Cross-Site Scripting

Posted on 30 November -0001

<HTML><HEAD><TITLE>Easy Testimonials WordPress Plugin Stored Cross-Site Scripting</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>Abstract Multiple stored Cross-Site Scripting vulnerabilities were found in the Easy Testimonials WordPress Plugin. These issues can be exploited by an authenticated Contributor (or higher). It allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. Contact For feedback or questions about this advisory mail us at sumofpwn at securify.nl The Summer of Pwnage This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam. OVE ID OVE-20160712-0010 Tested versions These issues were successfully tested on Easy Testimonials WordPress Plugin version 1.36.1. Fix This issue is resolved in Easy Testimonials WordPress Plugin version 1.37. Introduction Easy Testimonials is an easy-to-use plugin that allows users to add Testimonials to the sidebar, as a widget, or to embed testimonials into a Page or Post using the shortcode. Multiple stored Cross-Site Scripting vulnerabilities were found in the Easy Testimonials WordPress Plugin. These issues can be exploited by an authenticated Contributor (or higher). Details This can be exploited by users with a role lower than the Editor (which has the unfiltered_html privileges) to add scripts and HTML when creating or updating a testimonial. This is possible by the following fields: - Client Name. - Position/Web Address/Other. - Location Reviewed/Product Reviewed/Item Reviewed. The vulnerability allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website. </BODY></HTML>

 

TOP