As part of our keeping track of the possible closure of popular WordPress plugins due to security vulnerabilities, so that we can warn customers of our service ahead of hacker exploiting vulnerabilities those closures might shine a light on, we were notified that the plugin Analytics Code Integration (Analytics), which has 30,000+ installs, was closed today. No reason has been given for the closure. There was a claim 8 months ago that there were security issues in the plugin and the plugin hasn’t been updated since that occurred. In quickly looking over the plugin we found a very minor vulnerability, what we refer to as an Internet Explorer reflected cross-site scripting (XSS) vulnerability.

In the files /notice_pro_get.php and /pro_get.php the following line of code exist in a couple of locations:

<input type="hidden" name="refer" value="<?php echo 'http' . (isset($_SERVER['HTTPS']) ? 's' : '') . '://' . rtrim($_SERVER['HTTP_HOST'], '/')."/" . ltrim($_SERVER['REQUEST_URI'], '/'); ?>">

That will output values from the URL that is being visited without it being escaped. Including malicious JavaScript in the portion of the URL that makes up the value of $_SERVER[‘REQUEST_URI’] there could potentially lead to cross-site scripting (XSS). But as far as we are aware all major web browsers other than Internet Explorer encode the value of that, so there wouldn’t work in other web browsers at all. Internet Explorer has XSS filtering, which would need to be bypassed for this to be exploitable.

Proof of Concept

The following proof of concept will cause any available cookies to be shown in an alert box in Internet Explorer with its XSS filtering disabled, when logged in as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/options-general.php?page=ga_tc_settings&test="><script>alert(document.cookie);</

Concerned About The Security of the Plugins You Use?

Need Continued Support for a Closed Plugin?