WordPress Calls to Action plugin version 2.4.3 suffers from a cross site scripting vulnerability.
Product: Calls to Action WordPress plugin
Vendor: InboundNow
Vulnerable Version(s): 2.4.3 and probably prior
Tested Version: 2.4.3
Advisory Publication: October 7, 2015 [without technical details]
Vendor Notification: October 7, 2015
Vendor Patch: October 27, 2015
Public Disclosure: November 4, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2015-8350
Risk Level: Medium
CVSSv3 Base Score: 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered two Cross-Site Scripting (XSS) vulnerabilities in a popular WordPress plugin Calls to Action. A remote attacker might be able to steal user's and administratorβs cookies, credentials and browser history, modify web page content to perform phishing attacks, or even to perform drive-by-download attacks by injecting malware into website pages when the victim follows a specially crafted link with XSS exploit.
1) Two Reflected XSS Vulnerabilities in Calls to Action WordPress plugin: CVE-2015-8350
1.1 Input passed via the "open-tab" HTTP GET parameter is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
A simple XSS exploit below will display JavaScript popup with "ImmuniWeb" word, when the logged-in administrators follows the malicious link:
http://[host]/wp-admin/edit.php?post_type=wp-call-to-action&page=wp_cta_global_settings&open-tab=%27%3E%3Cscript%3Ealert%28ImmuniWeb%29%3B%3C%2Fscript%3E
1.2 Input passed via the "wp-cta-variation-id" HTTP GET parameter is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
A simple XSS exploit below will display JavaScript popup with "ImmuniWeb" word, when the victim follows the malicious link:
http://[host]/cta/ab-testing-call-to-action-example/?wp-cta-variation-id=%27%22%3E%3Cscript%3Ealert%28ImmuniWeb%29;%3C/script%3E
-----------------------------------------------------------------------------------------------
Solution:
Update to Calls to Action 2.5.1
More Information:
https://github.com/inboundnow/cta/issues/137
https://wordpress.org/plugins/cta/changelog/
# 0day.today [2018-02-20] #