13 Sep

Reflected Cross-Site Scripting (XSS) Vulnerability in Quotes Collection

One of the things we do to provide the best data on vulnerabilities in WordPress plugins is to monitor the wordpress.org Support Forum for threads related to those. Yesterday we ran across a thread asking if the Quotes Collection plugin that had been removed from the Plugin Directory, had a security vulnerability. The people running the Plugin Directory are choosing to keep people in the dark about removed plugins with security vulnerabilities, so people are left wondering like this. If you use our service though many of the vulnerabilities that caused plugins to be removed are listed, you can also use our No Longer in Directory plugin to see if plugins you use have been removed from the Plugin Directory, whether for a security issue or another reason.

After running across the thread we attempted to see if we could find any vulnerabilities in the most recent version of the plugin. While going through our standard checks we found that the plugin has a reflected cross-site scripting (XSS) vulnerability. That isn’t a major threat, since we don’t see much evidence of that type of vulnerability being targeted. One reason for that is that all the major web browsers other than Firefox has XSS filtering, which an attacker would need to figure a way to evade to exploit the vulnerability in the other web browsers.

The reflected cross-site scripting occurs on the page /wp-admin/admin.php?page=quotes-collection, due to the line 221 /inc/class-quotes-collection-admin.php:

<input type="hidden" name="page" value="<?php echo $_REQUEST['page']; ?>" />

Once we saw that it seemed likely that someone else had already identified that issue, as it was the same type issue as several identified by Yorick Koster as part of the Summer of Pwnage. Here is how he described the issue in one of his advisories:

Normally, the page URL parameter is validated by WordPress, which prevents Cross-Site Scripting. However in this case the value of page is obtained from $_REQUEST, not from $_GET. This allows for parameter pollution where the attacker puts a benign page value in the URL and simultaneously submits a malicious page value as POST parameter.

A listing that seems to match the vulnerability is on the list of vulnerabilities discovered during that event, but without any details for us to link to for out data:

Reflected XSS in Quotes plugin (CSRF against admin)

July 2016 | Installs: 20K+ | Yorick Koster | OVE-20160712-0015 | Status: reporting

Proof of Concept

The following proof of concept will cause any available cookies to shown in alert box when logged in to WordPress. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<form action="http://[path to WordPress]/wp-admin/admin.php?page=quotes-collection" method="POST">
<input type="hidden" name="page" value='"><script>alert(document.cookie);</script>' />
<input type="submit" value="Submit" />

Leave a Reply

Your email address will not be published. Required fields are marked *