_{From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed (in some cases not fixed at all) and help to identify additional vulnerabilities in the plugin.}

The changelog entry for version 1.5.7 or the plugin Crafty Social Buttons is “Fixed potential cross site scripting vulnerability in admin page”. Looking at the change made in that version we found that there was a reflected cross-site scripting (XSS) vulnerability fixed in that version.

In version 1.5.7 the escaping function esc_attr() is used to escape the variable $active_tab on line 36 of the file /views/admin.php (change in bold):

echo '<input type="hidden" name="' . $tab . '" value="' . esc_attr($active_tab) . '">';

The value of $active_tab comes from the get input “tab” on line 5:

<?php $active_tab = (isset($_GET['tab'])) ? $_GET['tab'] : 'share_options'; ?>

Proof of Concept

The following proof of concept will cause any available cookies to be shown in alert box. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/options-general.php?page=crafty-social-buttons&tab=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E