# Exploit Title: WordPress Free Counter Plugin [Stored XSS]
# Date: 2015/05/25
# Exploit Author: Panagiotis Vagenas
# Contact: https://twitter.com/panVagenas
# Vendor Homepage: http://www.free-counter.org
# Software Link: https://wordpress.org/plugins/free-counter/
# Version: 1.1
# Tested on: WordPress 4.2.2
# Category: webapps
# CVE: CVE-2015-4084
Any authenticated or non-authenticated user can perform a stored XSS
attack simply by exploiting wp_ajax_nopriv_check_stat action.
Plugin uses a widget to display website's visits, so any page that
contains this widget will also load the malicious JS code.
2. Proof of Concept
* Send a post request to `http://www.free-counter.org/Api.php` in order
to reveal the counter id of the vulnerable site. The POST data must
contain the following vars:
* As a response we get a serialized indexed array. The value that we
need to know is the 'counter_id'.
* Send a post request to
`http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data:
`action=check_stat&id_counter=<counter_id from step
* Visit a page of the infected website that displays plugin's widget.
Note that the plugin uses the update_option function to store the
$_POST['value_'] contents to DB so any code inserted there will be
escaped. Even though a malicious user can omit the quotes in the src
attr of the script tag. Most modern browsers will treat the tag as they
No official solution yet exists.