Recently a change was made to plugin WebLibrarian that was supposed to “Fix XSS problem in front end short codes.”. After not finding any report had been put out on this issue we started looking over things to see if there was in fact a vulnerability and then prepare a post on it for our customer.
Before we were able to figure out how the issue could be exploited we found that a related vulnerability existed as of the new version.
When a page or post with the shortcode “weblib_itemlist” is visited the function item_list() is run, which is located /includes/short_codes.php. Several lines in, the following code ran:
$result = "\n<!-- barcodetable: _REQUEST is ".print_r($_REQUEST,true)." -->\n";
That code will output and GET or POST inputs without them being escaped, which could be exploited for reflected cross-site scripting (XSS).
After notifying the developer of the issue, they resolved it the next day by commenting out the line (it was debug code).
Proof of Concept
The following proof of concept will cause any available cookies to be shown in alert box. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.
Visit a post or page that has the “weblib_itemlist” shortcode and add the following URL parameter to the URL and then visiting the resulting URL (add a “?” before it if there are not already an URL parameters):
- July 24, 2017 – Developer notified.
- July 25, 2017 – Version 126.96.36.199 released, which fixes vulnerability.