exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Fancy Product Designer For WooCommerce Cross Site Scripting

WordPress Fancy Product Designer For WooCommerce Cross Site Scripting
Posted Nov 18, 2020
Authored by Jonathan Gregson

WordPress Fancy Product Designer for WooCommerce plugin versions prior to 4.5.1 suffer from a persistent cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | c2c7ecac4f728b70f667e20bd8ac5b7a0fdfdb834ec7d79083882c4dfa3d69b4

WordPress Fancy Product Designer For WooCommerce Cross Site Scripting

Change Mirror Download
## About Fancy Product Designer for WooCommerce
Fancy Product Designer for WooCommerce is a WordPress plugin which allows users to design custom products in a vendor's WooCommerce store. It is sold through the third-party marketplace "Envato Market" and boasts over 15,000 sales.

## Stored XSS via SVG upload
Fancy Product Designer for WooCommerce before version 4.5.1 permits the upload of unsanitized SVG files by unauthenticated users. SVG files can contain JavaScript which will be executed by the browser if the malicious SVG is accessed directly. This JavaScript will run in the context of the affected domain and logged in user.

The "Require Login" setting in FPD before version 4.5.1 does not succeed in requiring users to be logged in to upload files, meaning any unauthenticated user can exploit this vulnerability.

### Details
To exploit this vulnerability, an attacker needs to upload a specially crafted SVG using Fancy Product Designer and convince a logged-in user or admin to access the SVG. Once accessed, the browser will execute the JavaScript payload in the context of the user or admin on the affected domain.

### Impact
This vulnerability can result in the takeover of any user's account on the affected domain. If an SVG containing a stored XSS payload is opened by a logged in administrator, it could lead to the compromise of the entire site. If opened by an anonymous user, it could attempt to phish the user's credentials by imitating a WordPress login page.

SVGs accessed in this way can trivially read out current `_wpnonce` values, giving an attacker unfettered access to the entire WordPress API of an affected site.

### Proof of Concept
- Account takeover SVG: [change-user-email.svg](https://github.com/jdgregson/Disclosures/blob/master/fancy-product-designer/stored-xss-via-svg-upload/change-user-email.svg)
- Demo video: [stored-xss-account-takover.mp4](https://raw.githubusercontent.com/jdgregson/Disclosures/master/fancy-product-designer/stored-xss-via-svg-upload/stored-xss-account-takover.mp4)

### Disclosure Timeline
- 10/10/2020: issue reported via ticket on developer's support form
- 10/11/2020: developer responded discussing potential mitigations
- 10/20/2020: developer released an update which did not address the issue
- 10/26/2020: developer released an update which addressed the issue by only allowing a subset of tags and attributes in uploaded SVGs
- 11/15/2020: full disclosure



Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    6 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close