[FD] CSRF/Stored XSS in MSMC – Redirect After Comment could allow unauthenticated individuals to do almost anything (WordPress plugin)

Details ================ Software: MSMC - Redirect After Comment Version: 2.1.2 Homepage: http://ift.tt/2pusFPa Advisory report: http://ift.tt/2pWWzhP CVE: Awaiting assignment CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N) Description ================ CSRF/Stored XSS in MSMC – Redirect After Comment could allow unauthenticated individuals to do almost anything Vulnerability ================ An unauthenticated individual can cause arbitrary JavaScript to execute within /wp-admin/ in the browser of a logged-in admin user. This could be achieved by sending a link to the admin user. The attacker could use this to create a new user, create posts, add arbitrary PHP code (if the theme/plugin editor component is enabled) – almost anything a logged-in admin user can do. Proof of concept ================ Step 1: Log in. Step 2: Visit this URL to store the arbitrary HTML: http://localhost/wp-admin/options-general.php?page=msmc-comment-redirect&action=1&MSMC_redirect_location=http://localhost/?%22%3E%3Cscript%3Ealert(1)%3C/script%3E Step 3: Visit this URL to execute the JavaScript: http://localhost/wp-admin/options-general.php?page=msmc-comment-redirect Step 3 is unnecessary in browsers without XSS filtering (i.e. Firefox). Mitigations ================ The plugin author has indicated that this plugin is abandonware and has unpublished it from the WordPress directory. Disable and uninstall the plugin as this bug won’t be fixed. Disclosure policy ================ dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: http://ift.tt/1B6NWzd Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline ================ 2017-03-17: Discovered 2017-03-20: Sent a public message on Twitter requesting the ability to DM with them 2017-03-20: Plugin author responded that the plugin was abandonware and that I could DM them 2017-03-21: Sent another public message as I was still unable to send them a DM 2017-04-04: Sent another public message 2017-04-10: The plugin was removed from wordpress.org 2017-04-24: Sent another public message to check that the plugin was permanently removed 2017-05-08: Published Discovered by dxw: ================ Tom Adams Please visit security.dxw.com for more information.

Source: Gmail -> IFTTT-> Blogger