16 Jan

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in WP GitHub Tools

Recently we were contacted by one of the users of our service, J.D. Grimes, who had found some possible vulnerabilities that involved shortcodes and a lack of escaping when passing data to the function wp_localize_script(). He was too busy to go further with them at the time and was wondering if we could take it from there in confirming them and getting in touch with the developers. One the impacted plugins was WP GitHub Tools.

The plugin registers the shortcode “chart” to call the function display_chart():

add_shortcode('chart', array( &$this, 'display_chart' ));

Here is the beginning of that function:

254
255
function display_chart($atts, $content = null){
	extract(shortcode_atts(array('repository' => '', 'id' => 'github_chart_'.WP_Github_Tools::$INDEX++, 'title' => '', 'width' => '', 'class' => '', 'height' => '300', 'color' => '#f17f49', 'background' => 'transparent', 'count' => 30), $atts));

The variable $att in that contains attributes that are included with a short code. The line that begins “extract” will set what is in the “id” to the variable $id in the function. That code doesn’t place any restriction on what can be user can cause $id to be set to or check if it is any way valid.

What J.D. was looking into when he came across the issue with this plugin, the second parameter in wp_localize_script() is directly output on the page, so the value needs to be properly secured, but that hasn’t happened in the last line of the function:

323
    wp_localize_script( 'WP_Github_Tools_Chart', $id, $data );

So anyone that can edit posts or pages can add a shortcode that includes malicious JavaScript code as the value of the “id” attribute and it will be output, which is a persistent cross-site scripting (XSS) vulnerability.

We notified the developer of the issue on December 11th, but we have yet to receive any response and the vulnerability has not been fixed.

Proof of Concept

The following shortcode will cause an alert box that says “XSS” to be shown on the front-end page when placed in a WordPress post or page:

[chart id=' test = "test"; alert("xss"); test' repository="test2"]

Timeline

  • December 11, 2017 – Developer notified.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *