______ ______ _____ ___ _____ _____ _____ | ___ \ | ___ \ | _ | |_ | | ___| / __ \ |_ _| | |_/ / | |_/ / | | | | | | | |__ | / \/ | | | __/ | / | | | | | | | __| | | | | | | | |\ \ \ \_/ / /\__/ / | |___ | \__/\ | | \_| \_| \_| \___/ \____/ \____/ \____/ \_/ _____ _ _ _____ _____ _____ _ _ ______ _____ _____ __ __ |_ _| | \ | | / ___| | ___| / __ \ | | | | | ___ \ |_ _| |_ _| \ \ / / | | | \| | \ `--. | |__ | / \/ | | | | | |_/ / | | | | \ V / | | | . ` | `--. \ | __| | | | | | | | / | | | | \ / _| |_ | |\ | /\__/ / | |___ | \__/\ | |_| | | |\ \ _| |_ | | | | \___/ \_| \_/ \____/ \____/ \____/ \___/ \_| \_| \___/ \_/ \_/ [+]---------------------------------------------------------[+] | Vulnerable Software: FancyProductDesigner(WP plugin) | | Vendor: http://fancyproductdesigner.com | | Vulnerability Type: Stored XSS + FPD / File upload | | Date Released: 29/04/2017 | | Released by: 5tarboy (@insecurity) | [+]---------------------------------------------------------[+] Fancy Product Designer is a paid wordpress plugin ($50 fee) that allows users to upload custom products of their choice to the site. The upload form claims that it only allows files of PNG and JPG format, but it is possible to upload SVG files also. There are estimated 40,000-50,000 vulnerable sites. In order to replicate this vulnerability you navigate to the product upload page and simply upload an .svg payload. Here is an example: https://www.saltsidecreations.com/product/ozark-20-oz/ It is possible to upload an .svg file via the image upload form - the file will be stored at http://[HOST]/wp-content/uploads/ Here is an example SVG file that can be uploaded (resulting in persistent/stored XSS): ------------------------------------------------------------------------------------------------------------ twitter: @insecurity ------------------------------------------------------------------------------------------------------------- Here is a live example: https://www.saltsidecreations.com/wp-content/uploads/fancy_products_uploads/2017/04/28/insecurity.svg This could have a variety of impacts ranging from stealing cookies and regular XSS-related risks to a highly effective spear phishing campaign Google Dork: inurl:fancy_products_uploads ------------------------------------------------------------------------------------------------------------- How to fix: Use whitelist for file upload (e.g. only allow JPG and PNG, no .svg) There's also multiple full path disclosure for this plugin but WP is riddled with FPD. If you're interested then get in touch (although im pretty sure there's tons of files in /wp-includes/ that will give you FPD anyway presuming no error_reporting(0) set) [+]---------------------------------------------------------[+] | CONTACT US: | | | | IRC: irc.insecurity.zone (6667/6697) #insecurity | | Twitter: @insecurity | | Website: insecurity.zone | [+]---------------------------------------------------------[+]