[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] CSRF/XSS vulnerablity in Login Widget With Shortcode allows unauthenticated attackers to do anything an admin can do (WordPress plugin)

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] CSRF/XSS vulnerablity in Login Widget With Shortcode allows unauthenticated attackers to do anything an admin can do (WordPress plugin)
From: dxw Security <security@xxxxxxx>
Date: Wed, 17 Sep 2014 10:23:28 +0000

Details
================
Software: Login Widget With Shortcode
Version: 3.1.1
Homepage: http://wordpress.org/plugins/login-sidebar-widget/
Advisory report: 
https://security.dxw.com/advisories/csrfxss-vulnerablity-in-login-widget-with-shortcode-allows-unauthenticated-attackers-to-do-anything-an-admin-can-do/
CVE: Awaiting assignment
CVSS: 6.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:P)

Description
================
CSRF/XSS vulnerablity in Login Widget With Shortcode allows unauthenticated 
attackers to do anything an admin can do

Vulnerability
================
This plugin is vulnerable to a combination CSRF/XSS attack. An attacker able to 
convince an admin to visit a link of their choosing is able to insert arbitrary 
HTML into an admin page.  Using that ability they can use JavaScript to control 
an admin user’s browser, allowing the attacker to create user accounts, create 
posts, delete all posts, etc.

Proof of concept
================
If a logged-in administrator user clicks the submit button on this form, a 
javascript alert will display in the admin screens. (In a real attack the form 
can be made to auto-submit using Javascript).
<form method=\"POST\" 
action=\"http://localhost/wp-admin/options-general.php?page=login_widget_afo\";>
  <input type=\"text\" name=\"custom_style_afo\" 
value=\"&lt;/textarea>&lt;script>alert(1)&lt;/script>\">
  <input type=\"text\" name=\"option\" value=\"login_widget_afo_save_settings\">
  <input type=\"submit\">
</form>

Mitigations
================
Upgrade to version 3.2.1 or later.

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our 
disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@xxxxxxx to acknowledge this report if you 
received it via a third party (for example, plugins@xxxxxxxxxxxxx) as they 
generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this 
report with 14 days.

Timeline
================

2014-08-26: Discovered
2014-09-15: Reported to vendor by email
2014-09-15: Vendor reported the issue fixed and a new version released
2014-09-17: Published



Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.
          


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] [CORE-2014-0006] - Delphi and C++ Builder VCL library Heap Buffer Overflow
Next by Date: [FD] Reflected XSS in WooCommerce – excelling eCommerce allows attackers ability to do almost anything an admin user can do (WordPress plugin)
Previous by thread: [FD] [CORE-2014-0006] - Delphi and C++ Builder VCL library Heap Buffer Overflow
Next by thread: [FD] Reflected XSS in WooCommerce – excelling eCommerce allows attackers ability to do almost anything an admin user can do (WordPress plugin)
Index(es):
- Date
- Thread