As we continue our first week of full disclosing vulnerabilities in WordPress plugins until the people on the WordPress side of things finally clean up the moderation of their Support Forum, it is important to remember that if we didn’t do full disclosure of these vulnerabilities they would still be there in the plugins and still a security risk. In fact there are currently plenty of easy to spot vulnerabilities in popular plugins, case in point is the vulnerability we are fully disclosing today, which is a reflected cross-site scripting (XSS) vulnerability in the plugin Feed Them Social that the possibility of its existence was detected by our, far from advanced, automated tool for detecting plugin vulnerabilities, the Plugin Security Checker. That plugin, which has 70,000+ active installs according to wordpress.org, was recently run through the tool and during our continuing audits of the results from that we checked on the results for the plugin.
There were multiple possible instances of reflected XSS identified, this being the last one:
That code is located in the function fts_fb_page_token_func(), which is located in the file /includes/feed-them-functions.php and is run when using the shortcode “fts_fb_page_token”:
add_shortcode('fts_fb_page_token', array($this, 'fts_fb_page_token_func'));
It only took a quick check to figure out what combination of URL parameters were needed to confirm that this is exploitable (though far from a serious issue for the average website), as can be seen with the proof of concept below.
There is nothing stopping people from the Plugin Directory (we even have offered free access to the more advanced mode of the Plugin Security Chekcer) or elsewhere from the WordPress side of things doing the same thing we just did there and then working to get the vulnerabilities like this one fixed, but the reality is that they rather spend their time abusing their power in the Support Forum than actually working to improve things, which makes things harder for the people that are actually improving things. Especially when a lot of the high impact, but easy to do, improvements to the handling of WordPress plugin security can only be done if the Plugin Directory team cleans up their act as well.
Proof of Concept
The following proof of concept will cause any available cookies to be shown in alert box. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.
Make sure to replace “[location of page with fts_fb_page_token shortcode]” with the location of a page or post with the “fts_fb_page_token” shortcode.
http://[location of page with fts_fb_page_token shortcode]/?load_more_ajaxing=test&fts_dynamic_name="><script>alert(document.cookie);</script>