Securin Zero-Days

Visit the following page on a site with this plugin installed.

http://yourwordpresssite.com/wordpress/wpadmin/admin.php?page=crony&action=manage&do=create and modify the value of the name variable with<script>alert(‘Vulnerable2CSRF&XSS’) </script> payload and send the request to the server after generating CSRF request to the victim. Now, the added XSS payload is executed on the victim’s system, which can be compromised.

Note: XSS payload tried with the application once after implementing unfiltered Html Settings as defined to the wp-config.php file.

define( ‘DISALLOW_UNFILTERED_HTML’, true );

Issue 1: The POST Request of the variable name in the URL http://yourwordpresssite.com/wordpress/wpadmin/admin.php?page=crony&action=manage&do=create is vulnerable to XSS, and the plugin is also exploitable using CSRF vulnerability.

Figure 01: Cronjobs list before CSRF code & XSS payload gets executed.

Figure 02: Name variable input field, which is vulnerable to XSS.

Figure 03: Capturing the HTTP request in the intercept proxy.

Figure 04: Created a crafted HTML page with XSS input and CSRF Request.

Note: After creating the CSRFT HTML page, the user logs out, then again log in, and now, the HTML page is executed. In this case, we executed it from the local machine.

Figure 05: XSS Payload gets executed in the browser once the link sent by the attacker has been clicked.

Figure 06: XSS payload gets executed, and a new cronjob is created.