header-logo
Suggest Exploit
vendor:
uCan Post
by:
Gianluca Brindisi
3,3
CVSS
MEDIUM
Stored XSS
79
CWE
Product Name: uCan Post
Affected Version From: 1.0.09
Affected Version To: 1.0.09
Patch Exists: YES
Related CWE: N/A
CPE: 2.3:a:wordpress:ucan_post:1.0.09
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2012

WordPress uCan Post plugin <= 1.0.09 Stored XSS

The submission form of the Wordpress uCan Post plugin is not well sanitized and will result in stored XSS in admin pages. Name, Email and Post Title fields are not sanitized and are injectable with a payload which will be stored in the pending submission page in admin panel. Email field can also result in reflected XSS. The payload will be reflected in the public page if permissions to publish a post from the public interface are not needed.

Mitigation:

Sanitize user input and validate data before storing it in the database.
Source

Exploit-DB raw data:

# Exploit Title: Wordpress uCan Post plugin <= 1.0.09 Stored XSS
# Dork: inurl:/wp-content/plugins/ucan-post/
# Date: 2012/01/18 
# Author: Gianluca Brindisi (gATbrindi.si @gbrindisi http://brindi.si/g/)
# Software Link: http://downloads.wordpress.org/plugin/ucan-post.1.0.09.zip
# Version: 1.0.09

1)  You need permissions to publish a post from the public interface:

    The submission form is not well sanitized and will result in stored xss
    in admin pages:

    * Name field is not sanitized and it's injectable with a payload 
      which will be stored in the pending submission page in admin panel
      POC: myname'"><script>window.alert(document.cookie)</script>

    * Email field is not sanitized but can it will check for a valid email address
      so the maximum result will be a reflected xss
      POC: my@mail.com'"><script>window.alert(document.cookie)</script>

    * Post Title is not sanitized and it's injectable with a payload
      which will be stored in the pending submissions page in admin panel
      POC: title'"><script>window.alert(document.cookie)</script>

Navigation

Suggest Exploit

Services By CQR