As part of our keeping track of the possible closure of popular WordPress plugins due to security vulnerabilities, so that we can warn customers of our service ahead of hacker exploiting vulnerabilities those closures might shine a light on, we were notified that the plugin Analytics Code Integration (Analytics), which has 30,000+ installs, was closed today. No reason has been given for the closure. There was a claim 8 months ago that there were security issues in the plugin and the plugin hasn’t been updated since that occurred. In quickly looking over the plugin we found a very minor vulnerability, what we refer to as an Internet Explorer reflected cross-site scripting (XSS) vulnerability.
In the files /notice_pro_get.php and /pro_get.php the following line of code exist in a couple of locations:
<input type="hidden" name="refer" value="<?php echo 'http' . (isset($_SERVER['HTTPS']) ? 's' : '') . '://' . rtrim($_SERVER['HTTP_HOST'], '/')."/" . ltrim($_SERVER['REQUEST_URI'], '/'); ?>">
Proof of Concept
The following proof of concept will cause any available cookies to be shown in an alert box in Internet Explorer with its XSS filtering disabled, when logged in as an Administrator.
Make sure to replace “[path to WordPress]” with the location of WordPress.
http://[path to WordPress]/wp-admin/options-general.php?page=ga_tc_settings&test="><script>alert(document.cookie);</