#------------------
WordPress Count-Per-Day plugin 3.2.5. Type-1 (reflected) Cross Site
Scripting (XSS)
affected versions <= 3.2.5. (tested on 3.2.5, 3.2.3)
impact:
- code execution in browser context
author: alejandr0.m0f0
1/ navigate to the page:
/wordpress/wp-admin/?page=cpd_metaboxes
2/ bottom of the page: "visitors per day"
current date is printed (e.g., 2013-03-04)
replace this field by
2013-03-04"><img src=x onerror=alert(1)>
press show.
3/ request is submitted, server reflects the sent value. filter on
server side is identity, thus pretty easy to exploit.
the payload gets executed.
e.g., of exploitation:
POST …/wordpress/wp-admin/?page=cpd_metaboxes HTTP/1.1
…
daytoshow=2013-03-04%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&showday=Show
requirements: victim should be authenticated as user having access
to this plugin (e.g., admin)
this is still a practical attack in case e.g. attacker embeds an
iframe on a website he controls, and assuming the victim is logged in
wordpress, then the SOP access control is bypassed.