Skip to content

Instantly share code, notes, and snippets.

@rezaduty rezaduty/201907
Created Oct 10, 2019

Embed
What would you like to do?
> [Suggested description]
> The liquid-speech-balloon (aka LIQUID SPEECH BALLOON) plugin 1.0.5 for
> WordPress allows XSS with Internet Explorer.
>
> ------------------------------------------
>
> [Additional Information]
> Internet Explorer treats the accent grave (`) as an attribute delimiter
> like " and '. The quotation mark (") will be stripped from the
> attribute value when using the innerHTML property in case it doesn't
> contain space. for example: <div id="div1"><input
> value="``onmouseover=alert(1)"></div> <div
> id="div2"></div><script>document.getElementById("div2").innerHTML =
> document.getElementById("div1").innerHTML;</script> Make sure the HTML
> filter you use is aware of the fact that the accent grave is a valid
> attribute delimiter for IE too - especially if users are allowed to
> post harmless JavaScript (JSReg, Google Caja). Be very careful when
> handling user generated HTML in the DOM later on. The innerHTML
> property does not always contain what it's supposed to.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Vendor of Product]
> WordPress
>
> ------------------------------------------
>
> [Affected Product Code Base]
> LIQUID SPEECH BALLOON - 1.0.5
>
> ------------------------------------------
>
> [Attack Type]
> Local
>
> ------------------------------------------
>
> [CVE Impact Other]
> Steal Cookies
>
> ------------------------------------------
>
> [Reference]
> https://wordpress.org/plugins/liquid-speech-balloon/#developers
Use CVE-2019-17070.
> [Suggested description]
> The client-dash (aka Client Dash) plugin 2.1.4 for WordPress allows
> XSS.
>
> ------------------------------------------
>
> [Additional Information]
> render() { return ( <div className="cd-editor-input
> cd-editor-input-text"> <label> {this.props.label} <input type="text"
> name={this.props.name} defaultValue={this.props.value}
> placeholder={this.props.placeholder} onChange={this.handleChange} />
> </label> </div> ) }
>
> input name attribute accept html tag such as <svg
> xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Vendor of Product]
> Wordpress
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Client Dash - 2.1.4
>
> ------------------------------------------
>
> [Attack Type]
> Local
>
> ------------------------------------------
>
> [CVE Impact Other]
> Steal Cookies
>
> ------------------------------------------
>
> [Reference]
> https://wordpress.org/plugins/client-dash/#developers
Use CVE-2019-17071.
> [Suggested description]
> The new-contact-form-widget (aka Contact Form Widget - Contact Query,
> Form Maker) plugin 1.0.9 for WordPress has SQL Injection via
> all-query-page.php.
>
> ------------------------------------------
>
> [Additional Information]
> all-query-page.php
>
> //view contact query if($action == "view-contact-query") { $id
> =(int)$_POST['id']; global $wpdb; $table_name = $wpdb->prefix .
> 'awp_contact_form'; $user_searh_query_result = $wpdb->get_row( "SELECT
> * FROM `$table_name` WHERE `id` ='$id'" );
> if($user_searh_query_result){ $id = $user_searh_query_result->id; $name
> = $user_searh_query_result->name; $email =
> $user_searh_query_result->email; $date_time =
> $user_searh_query_result->date_time; $subject =
> $user_searh_query_result->subject; $message =
> $user_searh_query_result->message; ?> <div id="view-query-data">
> <p><strong><?php _e('User Name:', NCFWS_TXTDM); ?> </strong><?php echo
> $name; ?></p> <p><strong><?php _e('User Email:', NCFWS_TXTDM); ?>
> </strong><?php echo $email; ?></p> <p><strong><?php _e('User Subject:',
> NCFWS_TXTDM); ?> </strong><p><?php echo $subject; ?></p></p>
> <p><strong><?php _e('User Query:', NCFWS_TXTDM); ?> </strong><p><?php
> echo $message; ?></p></p> <p><strong><?php _e('Date Time:',
> NCFWS_TXTDM); ?> </strong><?php echo $date_time; ?></p> </div> <?php }
> }
>
> id vulnerable simple payload union SELECT 1,state,info,4 FROM
> INFORMATION_SCHEMA.PROCESSLIST #
>
> ------------------------------------------
>
> [Vulnerability Type]
> SQL Injection
>
> ------------------------------------------
>
> [Vendor of Product]
> Wordpress
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Contact Form Widget - Contact Query, Form Maker - 1.0.9
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [CVE Impact Other]
> Steal Database Record
>
> ------------------------------------------
>
> [Attack Vectors]
> open a link with payload
>
> ------------------------------------------
>
> [Reference]
> https://wordpress.org/plugins/new-contact-form-widget/#description
Use CVE-2019-17072.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.