Full Disclosure of Reflected Cross-Site Scripting (XSS) Vulnerability in WordPress Plugin with 100,000+ Installs
As part of our work to further improve our Plugin Security Checker, an automated tool anyone can use to check to see if a WordPress plugin possibly contains security issues, we log the results of check for plugins in the Plugin Directory and do spot checks of those. Through that we found that the plugin, Download Manager, which has 100,000+ active installations according to wordpress.org, contains a reflected cross-site scripting (XSS) vulnerability.
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community.
Technical Details
The Plugin Security Checker flagged a couple of lines as possibly leading to a reflected cross-site (XSS) vulnerability. The first of those is the following line in the file /admin/tpls/email-template-editor.php:
38 | <input type="hidden" name="id" value="<?php echo $_GET['id']; ?>" /> |
That line will out the value of the GET input “id” without escaping it. That line runs when accessing the plugin’s email template editor in the admin area of WordPress. As the proof of concept below shows, nothing elsewhere in the code prevents reflected XSS from occurring when that line runs.
Proof of Concept
The following proof of concept will cause any available cookies to be shown in alert box, when logged in as an Administrator. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.
Make sure to replace “[path to WordPress]” with the location of WordPress.
http://[path to WordPress]/wp-admin/edit.php?post_type=wpdmpro&page=templates&_type=email&task=EditEmailTemplate&id="><script>alert(document.cookie);</script>