02 Oct

Reflected Cross-Site Scripting (XSS) Vulnerability in Bitcoin Faucet

Recently we ran the plugin Bitcoin Faucet through our automated tool for checking over the security of WordPress plugins and it identified a possible reflected cross-site scripting vulnerability (XSS) in the plugin:

Unless the user input was sanitized or validated those should lead to vulnerabilities, since malicious JavaScript could output through that code. The contents of the file those are in doesn’t do either of those, so there is a vulnerability:

1
2
3
4
5
6
7
<?php
print_r($_GET);
 
if(isset($_GET['palette']))
{
echo($_GET['palette']);
}

It’s not clear what the purpose of that file would be since it isn’t being utilized anywhere in the plugin as far as we could tell.

We couldn’t find a private contact for the developer, so in the past would have probably just disclosed this due the continued problems caused by terrible moderators anytime we try to have any interaction through WordPress’ Support Forum. But seeing as things have gotten so bad that we moved to intentional full disclosure until they clean up their act (so far their response has only been to make it harder to keep WordPress websites secure), that is how we are handling all vulnerabilities for the time being.

Proof of Concept

The following proof of concept will cause any available cookies to be shown in alert box when logged in WordPress as an Administrator. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-content/plugins/bitcoin-faucet/templates/default/palettes/trof_palette_fetcher.php?palette=<script>alert("XSS");</script>

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service you can suggest/vote for the plugins you use to receive a security review from us. You can start using the service for free when you sign up now.

Leave a Reply

Your email address will not be published. Required fields are marked *