25 Apr

Reflected Cross-Site Scripting (XSS) Vulnerability in User Role by BestWebSoft

We recently discovered the User Role by BestWebSoft plugin had a reflected cross-site scripting (XSS) vulnerability. In version 1.5.1, and some prior versions, the file /user-role.php was echoing a GET or POST variable without escaping it. That occurred on line 233:

<input type="hidden" name="srrl_blog_id" value="<?php echo $_REQUEST['srrl_blog_id']; ?>"/>

Proof Of Concept

The following proof of concept URL will cause any available cookies to shown in alert box. Major web browsers other than Firefox provide XSS filtering so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin.php?page=user-role.php&srrl_action=recover&srrl_slug=subscriber&srrl_blog_id="><script>alert(document.cookie);</script>

Timeline

  • 4/11/2016 – Developer notified.
  • 4/25/2016 – Version 1.5.2 released, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?

Through the end of the year you can get a free security review of a plugin or theme when you protect 100 websites with our service.

Leave a Reply

Your email address will not be published. Required fields are marked *