13 Mar

Not Really a WordPress Plugin Vulnerability, Week of March 13

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Authenticated Stored XSS in Calculated Fields Form

A claimed authenticated stored XSS in Calculated Fields Form is described as this:

An authenticated user with access to edit or create forms can inject javascript into input fields such as ‘field name’ and ‘form name’. This results in the XSS being stored both on the back-end and front-end of the WordPress website. As a result, both users and administrators could be a target if a WordPress website is compromised. However, these vulnerabilities are unlikely to be weaponised due to the level of authentication required to exploit.

While that seems fairly caveated, it isn’t clear who actually would have the accessed needed.

The relevant changelog entry mentions administrators, which would most like refer to users with the Administrator role:

Fixes a possible vulnerability (fortunately only accessible by the website’s administator).

Looking at the code it turns out to be those with the “manage_option” capability, so Administrator-level users:

252
253
254
255
256
257
258
259
260
261
262
add_options_page('Calculated Fields Form Options', 'Calculated Fields Form', 'manage_options', 'cp_calculated_fields_form', array($this, 'admin_pages') );
 
// Menu option
add_menu_page( 'Calculated Fields Form Options', 'Calculated Fields Form', 'manage_options', 'cp_calculated_fields_form', array($this, 'admin_pages') );
 
// Submenu options
add_submenu_page( 'cp_calculated_fields_form', 'Documentation', 'Documentation', 'manage_options', "cp_calculated_fields_form_sub2", array($this, 'admin_pages') );
 
add_submenu_page( 'cp_calculated_fields_form', 'Online Help', 'Online Help', 'manage_options', "cp_calculated_fields_form_sub4", array($this, 'admin_pages') );
 
add_submenu_page( 'cp_calculated_fields_form', 'Upgrade', 'Upgrade', 'manage_options', "cp_calculated_fields_form_sub3", array($this, 'admin_pages') );

If an attacker has access to an Administrator account, then they can usually already do the equivalent of this or anything else they want for that matter.