05 Sep

Reflected Cross-Site Scripting (XSS) Vulnerability in File Manager

One of the problems we have found with the WordPress Support Forum is that there is  unproductive and inconsistent deletion of claims about the security of plugins. In an instance from just a couple of days ago a thread was deleted which mentioned an unfixed vulnerability in the plugin File Manager, deleting that doesn’t make much sense to us since it would be easy for someone with bad intentions to do same monitoring that we do and have spotted that thread before it was deleted, while deleting makes it harder for those with good intentions to find out about it. For us seeing it, not only lead to us noticing a related vulnerability in the same code, but it also led to a new check for our Plugin Security Checker to make it easier for similar issues to the one we noticed to be caught and fixed going forward, leading to better security for WordPress plugins, which unfortunately the moderators of the WordPress Support Forum don’t seem to be all that interested in based on the actions they take and their shutting down any conversion about whether those actions are productive.

The additional vulnerability we noticed is a reflected cross-site scripting (XSS) vulnerability, which could possibly allows an attacker to run arbitrary malicious JavaScript code. This type of vulnerability isn’t a big threat since it requires getting someone else to take an action, which we don’t see hackers really interested in when it comes to untargeted attacks, and web browsers other than Firefox include filtering to restrict the ability for this type of vulnerability to be exploited.

That has now been fixed.

Underlying Code

As part of the disclosure of the connected issue, the discover included the following line of code from the file /lib/wpfilemanager.php :

var fmlang = "<?php echo isset($_GET['lang']) ? $_GET['lang'] : ($wp_fm_lang !== false) ? $wp_fm_lang : 'en';?>";

With that line if the GET input “lang” exists then its value would be output without being escaped.

That line runs when visiting the page for the plugin’s file manager.

Proof of Concept

The following proof of concept will cause any available cookies to be shown in alert box when logged in WordPress as an Administrator. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin.php?page=wp_file_manager&lang=</script><script>alert(document.cookie);</script>

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.