12 Apr

Reflected Cross-Site Scripting (XSS) Vulnerability in Pretty Link Lite

We recently discovered the Pretty Link Lite plugin had a reflected cross-site scripting (XSS) vulnerability. In version 1.6.8, and some prior versions, the file /classes/views/shared/link-table-nav.php was echoing a GET variable without escaping it. That occurred on line 17:

<a class='prev page-numbers' href='?page=<?php echo esc_html($_REQUEST['page'].$page_params); ?>&paged=<?php echo ($current_page-1); ?>&size=<?php echo $_REQUEST['size']; ?>'>&laquo;</a>

line 31:

<a class='page-numbers' href='?page=<?php echo esc_html($_REQUEST['page'].$page_params); ?>&paged=1&size=<?php echo $_REQUEST['size']; ?>'>1</a>

line 57:

<a class='page-numbers' href='?page=<?php echo esc_html($_REQUEST['page'].$page_params); ?>&paged=<?php echo $i; ?>&size=<?php echo $_REQUEST['size']; ?>'><?php echo $i; ?></a>

line 80:

<a class='page-numbers' href='?page=<?php echo esc_html($_REQUEST['page'].$page_params); ?>&paged=<?php echo $page_count; ?>&size=<?php echo $_REQUEST['size']; ?>'><?php echo $page_count; ?></a>

and line 88:

<a class='next page-numbers' href='?page=<?php echo esc_html($_REQUEST['page'].$page_params); ?>&paged=<?php echo ($current_page + 1); ?>&size=<?php echo $_REQUEST['size']; ?>'>&raquo;</a>

Proof Of Concept

The following proof of concept URL will cause any available cookies to shown in alert box. Major web browsers other than Firefox provide XSS filtering so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin.php?page=pretty-link&paged=2&size='><script>alert(document.cookie);</script>

Timeline

  • 4/11/2016 – Developer notified.
  • 4/11/2016 – Developer patches vulnerability, doesn’t change version number.

Leave a Reply

Your email address will not be published. Required fields are marked *