We recently introduced a new feature where we do security reviews of plugins that are selected by our customers. The first review was of WangGuard. The most serious issue we found in that review is a reflected cross-site scripting (XSS) vulnerability.
In the file /wangguard-user-info.php the value of the GET input “userIP” is set as the value of the variable $userIP without any sanitization:
$userIP = $_GET["userIP"];
That value is then printed without it being escaped:
printf( __('User IP: %s <br />'), $userIP); printf( __('User nicename: %s <br />'), $user_info->user_nicename);
Proof of Concept
The following proof of concept will cause any available cookies to be shown in an alert box. Major web browsers other than Firefox provide XSS filtering so this proof of concept will not work in those web browsers.
Make sure to replace “[path to WordPress]” with the location of WordPress.
http://[path to WordPress]/wp-admin/admin.php?page=wangguard_users_info&userIP=<script>alert(document.cookie);</script>
- January 2, 2017 – Developer notified.
- January 17, 2017 – WordPress.org Plugin Directory notified.
- January 18, 2017 – Version 1.7.3 released, which fixes vulnerability.