Exploits

CVE-2017-9419: WordPress WP Custom Fields Search v.0.3.28 Reflected Cross-Site Scripting (XSS)

Identification Date: 11/06/2017
Vendor Homepage: http://www.webhammer.co.uk/wordpress#tab-wp-custom-fields-search
Software Link: http://wordpress.org/plugins/wp-custom-fields-search/

 

Description

This version of the WP Custom Fields Search plug-in is vulnerable to a Reflected Cross-Site Scripting vulnerability in the “cs-all-0” parameter due to the lack of proper input handling of the user’s data. An attacker can execute arbitrary JavaScript using a specially crafted URL. Thus, when the victim clicks on the malicious URL, the JavaScript is being executed.

Proof of Concept

In order to replay the attack, use the link below.

http://[wordpress_site]/?search-class=DB_CustomSearch_Widget-db_customsearch_widget&widget_number=2&cs-all-0=’>&cs–1=&search=Search

As a result the JavaScript code is being executed, as shown in the proof of concept image below.

 

Timeline

  • 02/06/2017 – Identification of the Vulnerability
  • 02/06/2017 – Attempt to speak with the developer
  • 03/06/2017 – Request for CVE
  • 06/06/2017 – Contact with WordPress
  • 06/06/2017 – The plug-in was removed from WordPress