About a month ago we mentioned that moderators of the WordPress Support Forum’s deletion of discussions of security issues can be unhelpful, in the context of us seeing mention of a vulnerability in a thread that was quickly deleted, realizing there was another related vulnerability, and then adding a check for that other vulnerability to our Plugin Security Checker, which provides a limited but expanding capability to check for possible security issues in plugins. Just days later that new check flagged a possible issue in a plugin with 100,000+ active installs that was being run through it and a quick check confirmed that it was an exploitable vulnerability (though far from a serious issue for the average website). That the vulnerability was found in, Ultimate Member, wasn’t all that surprising considering that Plugin Security Checker had previously identified another vulnerability of the same type in the plugin a couple of months ago.
Here are the details of the possible reflected cross-site scripting (XSS) vulnerability that was identified, which are available to users of our service through the Plugin Security Checker’s Developer Mode:
That certainly looked like there was that type of vulnerability as user input was being output without being escaped and a quick check confirmed that this was an exploitable vulnerability, as can be seen with the proof of concept below.
The vulnerability had been in the plugin since April without anyone noticing it before this, which again shows what the continued improvements to our Plugin Security Checker are bringing to the table in terms of improving the security of WordPress plugins.
After we notified the developer they released version 2.0.26 which fixes this by escaping the output using esc_attr():
<input type="hidden" name="role[id]" value="<?php echo isset( $_GET['id'] ) ? esc_attr( $_GET['id'] ) : '' ?>" />
If you were relying on the changelog of the plugin to determine if there were any security fixes you wouldn’t know that though, as there is no mention about it in that.
Proof of Concept
The following proof of concept will cause any available cookies to be shown in alert box when logged in WordPress as an Administrator. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.
Make sure to replace “[path to WordPress]” with the location of WordPress.
http://[path to WordPress]/wp-admin/admin.php?page=um_roles&tab=edit&id="><script>alert(document.cookie);</script>
- September 6, 2018 – Developer notified.
- September 7, 2018 – Developer responds.
- October 2, 2018 – Version 2.0.26 released, which fixes vulneraiblity.