28 Nov

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in WP Whois Domain

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed (in some cases not fixed at all) and help to identify additional vulnerabilities in the plugin.

One of the way we keep track vulnerabilities in WordPress plugins is by monitoring the WordPress Support Forums for relevant threads. Through that we came across a thread stating that the PCI scanner for ControlScan had identified a “[c]ross-site scripting vulnerability in domain parameter” of the WP Whois Domain plugin.

A quick check of the plugin’s code showed that the domain parameter is used on two lines in the file /pages/func-whois.php:

$domain = $_REQUEST['domain'];

When the value of “$domain” is set to the parameter no sanitization is done.

Later in the file the value “$domain” is output without any escaping:

<input type="text" name="domain" id="domain" value="<?=$domain;?>">

That combination permits reflected cross-site scripting (XSS) to occur.

Proof of Concept

The following proof of concept URL will cause any available cookies to shown in alert box. Major web browsers other than Firefox provide XSS filtering so this proof of concept will not work in those web browsers.

On a page using the plugin’s short code [whois-domain] add the URL parameter “domain=”><script>alert(document.cookie);</script>” to the URL.

Leave a Reply

Your email address will not be published. Required fields are marked *