Exploits

CVE-2017-9420: WordPress Spiffy Calendar v.3.2.0 Reflected Cross-Site Scripting (XSS)

Identification Date: 02/06/2017
Vendor Homepage: http://spiffycalendar.sunnythemes.com/
Software Link: https://wordpress.org/plugins/spiffy-calendar

 

Description

This version of the Spiffy Calendar plug-in is vulnerable to a Reflected Cross-Site Scripting vulnerability in the “yr” parameter due to the lack of proper input handling of the user’s data. An attacker can execute arbitrary JavaScript using a specially crafted URL. Thus, when the victim clicks on the malicious URL, the JavaScript is being executed.

Proof of Concept

In order to replay the attack, use the link below.

http://[domain]/calendar/?month=aug&yr=2017"><svg/onload=alert(document.cookie)>

As a result the JavaScript code is being executed, as shown in the proof of concept image below.

 

Solution

Update to the latest version of the Spiffy Calendar plug-in.

Timeline

  • 02/06/2017 – Contact with the vendor
  • 02/06/2017 – Vendor replied back and immediately fixed the vulnerability
  • 05/06/2017 – Public Disclosure

References