CVE-2013-5672

IndiaNIC Testimonial Plugin 2.2 - Cross-Site Request Forgery via Admin Actions

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-5672. PoCs published by RogueCoder.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in the Testimonial WordPress plugin (version 2.2), including XSS, CSRF, and SQL injection. It provides proof-of-concept forms to trigger these vulnerabilities via crafted input fields.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in the IndiaNIC Testimonial plugin 2.2 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add a testimonial via an iNIC_testimonial_save action; (2) add a listing template via an iNIC_testimonial_save_listing_template action; (3) add a widget template via an iNIC_testimonial_save_widget action; insert cross-site scripting (XSS) sequences via the (4) project_name, (5) project_url, (6) client_name, (7) client_city, (8) client_state, (9) description, (10) tags, (11) video_url, or (12) is_featured, (13) title, (14) widget_title, (15) no_of_testimonials, (16) filter_by_country, (17) filter_by_tags, or (18) widget_template parameter to wp-admin/admin-ajax.php.

Exploits (1)

exploitdb WORKING POC

by RogueCoder · textwebappsphp

https://www.exploit-db.com/exploits/28054

View Code ZIP pw:eip

The exploit demonstrates multiple vulnerabilities in the Testimonial WordPress plugin (version 2.2), including XSS, CSRF, and SQL injection. It provides proof-of-concept forms to trigger these vulnerabilities via crafted input fields.

Classification

Working Poc 100%

Attack Type

Xss | Sqli | Csrf

Complexity

Trivial

Reliability

Reliable

Target: Testimonial WordPress plugin 2.2

No auth needed

Prerequisites: Access to the target WordPress site · Plugin installed and active

MITRE ATT&CK