Last Thursday we notified the developer of the plugin Contact Form by BestWebSoft of the results of our security review of their plugin (the plugin was chosen by our customer to receive a review from us). One of the issues we noticed was reflected cross-site scripting (XSS) vulnerability, which we also found existed in 40 other of their plugins due to the code that caused the vulnerability being shared among the plugins.
While preparing the data on the vulnerability in those plugins to add to our data set once we disclosed the vulnerability we noticed that the same issue had been fixed in 12 other plugins by the developer as of the day we notified them, so we figured that we were not the only ones that had noticed this vulnerability. Today a company named DefenseCode put out a report on the vulnerabilities (PDF), in which they state they notified the developer of the vulnerability on March 24. In their report the response from the developer states they were already aware of the issue before even then:
We have already known about this vulnerability and some plugins have already been fixed. We will fix the rest of the plugins in their future updates.
Looking at the dates that some of the plugins have the vulnerability fixed confirms that they were aware of it before then. While the vulnerability is rather minor (it is unlikely to be targeted by hackers), leaving plugins used on hundreds of thousands of websites vulnerable for at least a month is concerning.
Since the information is out there it doesn’t make sense to hold back our independent disclosure, as we continue to do with the rest of the results of our review in line with our current vulnerability disclosure policy. Under the current policy we don’t disclose unfixed vulnerabilities for 30 days when the developer responds to our contact and the vulnerability is not already being exploited or obvious.
Here is how the issue exists in version 4.0.5 of Contact Form by BestWebSoft. In the file /bws_menu/bws_menu.php the value of the GET input “category” is set as the value of the variable $plugin_category without being sanitized:
$plugin_category = isset( $_GET['category'] ) ? $_GET['category'] : 'all';
The on line 447-449 the value of the variable is echo’d without being escaped:
<li><a <?php if ( ! isset( $_GET['sub'] ) ) echo 'class="current" '; ?>href="<?php echo $current_page; if ( 'all' != $plugin_category ) echo '&category=' . $plugin_category; ?>"><?php _e( 'All', 'bestwebsoft' ); ?></a></li> | <li><a <?php if ( isset( $_GET['sub'] ) && 'installed' == $_GET['sub'] ) echo 'class="current" '; ?>href="<?php echo $current_page; ?>&sub=installed<?php if ( 'all' != $plugin_category ) echo '&category=' . $plugin_category; ?>"><?php _e( 'Installed', 'bestwebsoft' ); ?></a></li> | <li><a <?php if ( isset( $_GET['sub'] ) && 'not_installed' == $_GET['sub'] ) echo 'class="current" '; ?>href="<?php echo $current_page; ?>&sub=not_installed<?php if ( 'all' != $plugin_category ) echo '&category=' . $plugin_category; ?>"><?php _e( 'Not Installed', 'bestwebsoft' ); ?></a></li>
Additional Impacted Plugins
The easiest way to know if you are impacted by this is to sign up for our service as our customers will be emailed if they are using vulnerable versions of any of the impacted plugins and also be able to check from inside WordPress if any of their plugins are vulnerable (or contained vulnerabilities in other versions). Currently, when you sign up you can try the service for free for the first month.
As of last Thursday we found the vulnerability was still in the following additional plugins (one was subsequently fixed):
- Captcha by BestWebSoft
- Car Rental by BestWebSoft
- Contact Form Multi by BestWebSoft
- Contact Form to DB by BestWebSoft
- Custom Admin Page by BestWebSoft
- Custom Fields Search by BestWebSoft
- Custom Search by BestWebSoft
- Email Queue by BestWebSoft
- Error Log Viewer by BestWebSoft
- Featured Posts by BestWebSoft
- Google +1 by BestWebSoft
- Google AdSense by BestWebSoft
- Google Analytics by BestWebSoft
- Google Captcha (reCAPTCHA) by BestWebSoft
- Google Maps by BestWebSoft
- Htaccess by BestWebSoft
- Job Board by BestWebSoft
- Latest Posts by BestWebSoft
- LinkedIn by BestWebSoft
- Pagination by BestWebSoft
- PDF & Print by BestWebSoft
- Pinterest by BestWebSoft
- Popular Posts by BestWebSoft
- Portfolio by BestWebSoft
- PromoBar by BestWebSoft
- Rating by BestWebSoft
- Realty by BestWebSoft
- Relevant – Related Posts by BestWebSoft
- Sender by BestWebSoft
- SMTP by BestWebSoft
- Social Buttons Pack by BestWebSoft
- Social Login by BestWebSoft
- Subscriber by BestWebSoft
- Testimonials by BestWebSoft
- Timesheet by BestWebSoft
- Twitter Button by BestWebSoft
- Updater by BestWebSoft
- User Role by BestWebSoft
- Visitors Online by BestWebSoft
- Zendesk Help Center by BestWebSoft
It was previously in the following plugins:
- Donate by BestWebSoft
- Facebook Button by BestWebSoft
- Gallery by BestWebSoft
- Gallery Categories by BestWebSoft
- Google Shortlink by BestWebSoft
- Google Sitemap by BestWebSoft
- Limit Attempts by BestWebSoft
- Multilanguage by BestWebSoft
- Post to CSV by BestWebSoft
- Profile Extra Fields by BestWebSoft
- Quotes and Tips by BestWebSoft
- Re-attacher by BestWebSoft
Proof of Concept
The following proof of concept will cause any available cookies to be shown in alert box. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.
Make sure to replace “[path to WordPress]” with the location of WordPress.
http://[path to WordPress]/wp-admin/admin.php?page=bws_panel&category="><script>alert(document.cookie);</script>
- April 6, 2017 – Developer notified.
- April 7, 2017 – Developer responds.
- April 13, 2017 -Vulnerability disclosed independently of us.