21 May

Our Plugin Security Checker Found a Reflected XSS Vulnerability in WordPress Plugin with 100,000+ Active Installs

In a reminder of the rather poor state of security of WordPress plugins and how our Plugin Security Checker tool (which is accessible through a WordPress plugin of its own) can help you to get a better idea if they are in need of additional security scrutiny when we ran the plugin WP Google Map Plugin through the tool to check to see if it would have spotted a recently fixed reflected cross-site scripting (XSS) vulnerability in the plugin we found that the plugin still contained another vulnerability of the same type (it also would have identified the possibility of the previous vulnerability if it had been checked).

In the file /core/class.initiate-core.php the function fc_geocoding() outputs the value of the variable $_POST, which contains any POST inputs sent with a request, without escaping that:

32
33
34
35
function fc_geocoding() {
	print_r($_POST);
	exit;
}

That would lead to a reflected cross-site (XSS) vulnerability depending on if and how it can be accessed. The function is registered to be accessible through WordPress’ AJAX functionality to anyone logged in to WordPress:

23
add_action( 'wp_ajax_fc_geocoding',array( $this, 'fc_geocoding' ) );

So it would be exploitable, though that isn’t a type of vulnerability that hackers are likely to exploit on the average website and therefore there isn’t a lot of risk due to it.

We notified the developer of the issue a week ago. We haven’t heard back from them (other than an automated response that they received our form submission) and no new version has been released to fix the issue. In line with our disclosure policy, which is based on the need to provide our customers with information on vulnerabilities on a timely basis, we are now disclosing this vulnerability.

Proof of Concept

The following proof of concept will cause any available cookies to be shown in alert box, when logged in to WordPress. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=fc_geocoding" method="POST">
<input type="hidden" name="test" value="<script>alert(document.cookie);</script>" />
<input type="submit" value="Submit" />
</form>
</body>

Timeline

  • May 14, 2018 – Developer notified.

Concerned About The Security of the Plugins You Use?

Through the end of the year you can get a free security review of a plugin or theme when you protect 100 websites with our service.

Leave a Reply

Your email address will not be published. Required fields are marked *