Paid Memberships Pro [Reflected XSS]
Description
Plugin Paid Memberships Pro implement a functionality to use payment gateways in order to perform payments to Paypal and other gateways. The files responsible to perform the payment requests are directly accessible and can easily manipulated from an attacker to perform an XSS attack.
During a request to this specific file all POST variables are stored in
a global var $logstr. The content of this global var are later printed
on browser without HTML entities escaping.
Additionally all POST variables are used to build a GET request to Paypal. This could open further exploitation possibilities, targeting Paypal accounts this time.
PoC
curl -XPOST 'http://wp1.dev/wp-content/plugins/paid-memberships-pro/services/ipnhandler.php'
-d 'malicious_var=<script>alert(document.cookie);</script>'
INFO
- 12 April 2016
- Pan Vag
- www.paidmembershipspro.com
- Paid Memberships Pro
- 1.8.9
- WordPress 4.4.2