Exploiting wordpress plugins through admin options (No 3. — Easy Media Gallery stored XSS)

Posted on Di 17 Dezember 2013 in Php • Tagged with Vulnerablity, Websecurity, Exploit, Stored, Php, Programming, Security, Xss, Wordpress, Easy-media-galleryLeave a comment

Preface

This post is about general security weaknesses in wordpress plugins, that allow malicious attackers to gain code execution access on the web server (which is quite often the user www-data). To outline the problem shortly: Often, wordpress plugins need a administration form to handle settings and options. These options are meant to be exclusively alterable by the admin of the wordpress site. But unfortunately, lots of wordpress plugins suffer from a very dangerous combination of CSRF and stored XSS vulnerabilities, that wrapped up in a social engineering approach, may ...

Continue reading