"Wordfence Firewall Plugin XSS" "CVE-2014-4664"
So lets come to post
Today we will see that how i got "Word Press Firewall Plugin Wordfence XSS"
Wordfence starts by checking if your site is already infected.Wordfencee do a deep server-side scan of your source code comparing it to the Official WordPress repository for core, themes and plugins. Then Wordfence secures your site and makes it up to 50 times faster.
Wordfence Security is 100% free. Wordfence also offer a Premium API key that gives you access to our premium support ticketing system at support.wordfence.com along with two factor authentication via SMS, country blocking and the ability to schedule scans for specific times.
Downloads Per Day
While analysis of my website logs i saw that there is button of whois Ip lookup for getting information about Visitors Ip
Like this -
i was think that should try for XSS here , for testing i inject <script>alert(/Testing/)</script>
And in response the inject payload didnt got filtered or sanitized before echoing out to clinet side but shitty script is not getting executed , so i looked in to the source code for review
Source Code Preview
Now i dint need to explain to next thing that what i have done , but i would like to explain for newbies so they can understand properly
Our inject payload is reflecting back in this tag like <script>" some javascirp code blaaa blaaaa (payload)" </script>
Now i need to create a Payload which triaged the XSS and strip out my XSS Payload from <script></script> tag
Now i were need to add ";</script><mypayload> !!! Why ?
Now no need to explain more that why i did next i just create a payload ";</script><script>alert(/Oppps !!! Bhati Got A XSS In Wordpress Firewall Plugin Wordfence /)</script>
And Its Got Executed
And I Was Like
And Game Over
Comments And Suggestions Are Always Welcome :-)
Vulnerability Reported - 24- June-2014
Confirmation ( Acknowledgement )- 24-June-2014
Schedule A Responsible Disclosure -25-June-2014
Fixed The Issue And Patch Release Date - 24-June-2014 ( Very Fast ;-) )
Publicly Disclosure - 30-6-2014