# Exploit Title: WordPress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities
# Exploit Author: absane
# Blog: http://blog.noobroot.com
# Discovery date: September 29th 2013
# Vendor notified: September 29th 2013
# Vendor fixed: October 2 2013
# Vendor Homepage: http://cart66.com
# Software Link: http://downloads.wordpress.org/plugin/cart66-lite.1.5.1.14.zip
# Tested on: WordPress 3.6.1
# Google-dork: inurl:/wp-content/plugins/cart66
# CVE (CSRF): CVE-2013-5977
# CVE (XSS): CVE-2013-5978
Two vulnerabilities were discovered in the WordPress plugin Cart66 version 1.5.1.14.
Vulnerabilities:
1) CSRF
2) XSS (Stored)
VULNERABILITY #1
************
*** CSRF ***
************
Page affected: http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products
If the WordPress admin were logged in and clicked on a link hosting code similar to the one in the PoC, then the admin may unknowingly add a product to his site or have an existing product altered. Other possibilities include, but are not limited to, injecting code into a field vulnerable to stored XSS (see the second vulnerability).
================
Proof of Concept
================
Host this code on a remote wesbserver different from the WordPress site that uses Cart66. As an authenticated WordPress admin user visit the page and add what you will to the fields. A new product is added. In a live attack, the fields will be hidden, prefilled, and some javascript code will auto submit the fields.
WordPress Cart66 Plugin 1.5.1.14 – Multiple Vulnerabilities
# Exploit Title: WordPress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities
# Exploit Author: absane
# Blog: http://blog.noobroot.com
# Discovery date: September 29th 2013
# Vendor notified: September 29th 2013
# Vendor fixed: October 2 2013
# Vendor Homepage: http://cart66.com
# Software Link: http://downloads.wordpress.org/plugin/cart66-lite.1.5.1.14.zip
# Tested on: WordPress 3.6.1
# Google-dork: inurl:/wp-content/plugins/cart66
# CVE (CSRF): CVE-2013-5977
# CVE (XSS): CVE-2013-5978
Two vulnerabilities were discovered in the WordPress plugin Cart66 version 1.5.1.14.
Vulnerabilities:
1) CSRF
2) XSS (Stored)
VULNERABILITY #1
************
*** CSRF ***
************
Page affected: http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products
If the WordPress admin were logged in and clicked on a link hosting code similar to the one in the PoC, then the admin may unknowingly add a product to his site or have an existing product altered. Other possibilities include, but are not limited to, injecting code into a field vulnerable to stored XSS (see the second vulnerability).
================
Proof of Concept
================
Host this code on a remote wesbserver different from the WordPress site that uses Cart66. As an authenticated WordPress admin user visit the page and add what you will to the fields. A new product is added. In a live attack, the fields will be hidden, prefilled, and some javascript code will auto submit the fields.