Simply Poll CSRF and XSS

# Exploit Title: WordPress Simply Poll Plugin 1.4.1 CSRF and stored XSS # Google Dork: inurl:"/wp-content/plugins/simply-poll # Date: 16.03.2013 # Exploit Author: m3tamantra # Vendor Homepage: http://wordpress.org/extend/plugins/simply-poll/ # Software Link: http://downloads.wordpress.org/plugin/simply-poll.1.4.1.zip # Version: 1.4.1 # Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) Note: After a email to plugins@wordpress.org, "Simply Poll Plugin" was deleted. Description: - The question parameter is vulnerable to XSS - Simply Poll has an CSRF vulnerability (Polls=>Add New) The PoC leads to arbitrary javascript execution in back-end area. Steps to exploit the Flaw: - Save PoC code in html file - Send a link (pointing to the PoC html file) to a logged in admin - When Admin view the Page he will automatically add a new Poll which exploits an XSS vulnerability in the question parameter - When the admin views the Polls the javascript Code will execute Note: this was just an example, it is also possible to remove, reset and edit all Polls. [code] Simply Poll CSRF and XSS [/code]