If the Wordpress admin were logged in and clicked on a link hosting code similar to the one in the PoC, then the admin may unknowingly add a product to his site or have an existing product altered. Other possibilities include, but are not limited to, injecting code into a field vulnerable to stored XSS (see the second vulnerability).
================
Proof of Concept
================
Host this code on a remote wesbserver different from the Wordpress site that uses Cart66. As an authenticated Wordpress admin user visit the page and add what you will to the fields. A new product is added. In a live attack, the fields will be hidden, prefilled, and some javascript code will auto submit the fields.
VULNERABILITY #2
*******************
*** Stored XSS ***
*******************
Page affected: http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products in the following input fields:
* Product name
* Price description
================
Proof of Concept
================
In the vulnerable fields add <script>alert(0)</script>
The product name XSS vuln is particiularly dangerous because an attacker can use the CSRF vulnerability to add a product whose name is a malicious script. All the admin user needs to do is view the product to be attacked.
And, in Cart66Product.php replace the validate() function with:
public function validate() {
$errors = array();
if(!wp_verify_nonce($_POST['cart66_product_nonce'], 'cart66_product_nonce')) {
$errors['nonce'] = __("An unkown error occured, please try again later","cart66");
}
else {
// Verify that the item number is present
if(empty($this->item_number)) {
$errors['item_number'] = __("Item number is required","cart66");
}
// Verify that no other products have the same item number
if(empty($errors)) {
$sql = "SELECT count(*) from $this->_tableName where item_number = %s and id != %d";
$sql = $this->_db->prepare($sql, $this->item_number, $this->id);
$count = $this->_db->get_var($sql);
if($count > 0) {
$errors['item_number'] = __("The item number must be unique","cart66");
}
}
// Verify that if the product has been saved and there is a download path that there is a file located at the path
if(!empty($this->download_path)) {
$dir = Cart66Setting::getValue('product_folder');
if(!file_exists($dir . DIRECTORY_SEPARATOR . $this->download_path)) {
$errors['download_file'] = __("There is no file available at the download path:","cart66") . " " . $this->download_path;
}
}
}
