One of the problems we have found with the WordPress Support Forum is that there is unproductive and inconsistent deletion of claims about the security of plugins. In an instance from just a couple of days ago a thread was deleted which mentioned an unfixed vulnerability in the plugin File Manager, deleting that doesn’t make much sense to us since it would be easy for someone with bad intentions to do same monitoring that we do and have spotted that thread before it was deleted, while deleting makes it harder for those with good intentions to find out about it. For us seeing it, not only lead to us noticing a related vulnerability in the same code, but it also led to a new check for our Plugin Security Checker to make it easier for similar issues to the one we noticed to be caught and fixed going forward, leading to better security for WordPress plugins, which unfortunately the moderators of the WordPress Support Forum don’t seem to be all that interested in based on the actions they take and their shutting down any conversion about whether those actions are productive.
That has now been fixed.
As part of the disclosure of the connected issue, the discover included the following line of code from the file /lib/wpfilemanager.php :
var fmlang = "<?php echo isset($_GET['lang']) ? $_GET['lang'] : ($wp_fm_lang !== false) ? $wp_fm_lang : 'en';?>";
With that line if the GET input “lang” exists then its value would be output without being escaped.
That line runs when visiting the page for the plugin’s file manager.
Proof of Concept
The following proof of concept will cause any available cookies to be shown in alert box when logged in WordPress as an Administrator. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.
Make sure to replace “[path to WordPress]” with the location of WordPress.
http://[path to WordPress]/wp-admin/admin.php?page=wp_file_manager&lang=</script><script>alert(document.cookie);</script>