Securin Zero-Days

CVE-2017-14530 – Cross-Site Scripting & Cross-Site Request Forgery in Crony Cronjob Manager




Affected Product




Securin ID





August 28, 2015


A cross-site request forgery vulnerability was identified on the WordPress plugin crony cronjob manager before 0.4.4.  The specific flaw exists via the name parameter in an action=manage&do=create operation requests because of failure to validate a CSRF token before handling a POST request.

Proof of Concept (POC):

Visit the following page on a site with this plugin installed. and modify the value of the name variable with<script>alert(‘Vulnerable2CSRF&XSS’) </script> payload and send the request to the server after generating CSRF request to the victim. Now, the added XSS payload is executed on the victim’s system, which can be compromised.

Note: XSS payload tried with the application once after implementing unfiltered Html Settings as defined to the wp-config.php file.


Issue 1: The POST Request of the variable name in the URL is vulnerable to XSS, and the plugin is also exploitable using CSRF vulnerability.

Figure 01: Cronjobs list before CSRF code & XSS payload gets executed.


Figure 02: Name variable input field, which is vulnerable to XSS.


Figure 03: Capturing the HTTP request in the intercept proxy.


Figure 04: Created a crafted HTML page with XSS input and CSRF Request.

Note: After creating the CSRFT HTML page, the user logs out, then again log in, and now, the HTML page is executed. In this case, we executed it from the local machine.


Figure 05: XSS Payload gets executed in the browser once the link sent by the attacker has been clicked.


Figure 06: XSS payload gets executed, and a new cronjob is created.


An attacker can exploit this by persuading a user of the interface to follow a malicious link, to allow the attacker to perform arbitrary actions with the privilege level of the affected user.


Download the latest updated version from vendor advisory and update.


Aug 28, 2015: Discovered in Crony Cronjob Manager Version 0.4.4.
Aug 28, 2015: Reported to the vendor
Aug 28, 2015: Vendor acknowledged the report
Sep 27, 2015: Issues fixed in version 0.4.6.

Let Securin level up your security posture!