Multiple stored Cross-Site Scripting vulnerabilities were found in the Easy Testimonials WordPress Plugin. These issues can be exploited by an authenticated Contributor (or higher). It allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE-20160712-0010
These issues were successfully tested on Easy Testimonials WordPress Plugin version 1.36.1.
This issue is resolved in Easy Testimonials WordPress Plugin version 1.37.
Easy Testimonials is an easy-to-use plugin that allows users to add Testimonials to the sidebar, as a widget, or to embed testimonials into a Page or Post using the shortcode. Multiple stored Cross-Site Scripting vulnerabilities were found in the Easy Testimonials WordPress Plugin. These issues can be exploited by an authenticated Contributor (or higher).
This can be exploited by users with a role lower than the Editor (which has the unfiltered_html privileges) to add scripts and HTML when creating or updating a testimonial. This is possible by the following fields:
- Client Name.
- Position/Web Address/Other.
- Location Reviewed/Product Reviewed/Item Reviewed.
The vulnerability allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website.
