# # # WP FuneralPress - stored xss in guestbook # # "FuneralPress is an online website obituary management and guest book program for funeral homes and cemeteries" # http://wpfuneralpress.com/ # # tested on: funeralpress version 1.1.6 / wordpress version 3.5.1 # # impact: # malicious script execution as wordpress administrator # # author: robarmstrong.te71@gmail.com # summary A low-privilege or guest user can inject code via the , < textarea name="youtube-message"> and : Poor Peter was a fine old chap, such a pity he was eaten to death by a pack of wild children. 2. Site administrator browses to http://site/wp-admin/admin.php?page= wpfh-guestbook, sees an entry with a message preview that reads "Poor Peter was a fine old chap..." and approves it. 3. Anyone browsing to http://site/obituaries/?id=1+&f=guestbook will execute the injected script The xss flaws in : 5. The site administrator browses to http://site/wp-admin/admin.php ?page=wpfh-guestbook and the scripts that have been injected into are executed:
View Video