Not Really a WordPress Plugin Vulnerability, Week of December 17
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.
Admin+ Reflected Cross-Site Scripting in LiteSpeed Cache
With a claimed admin+ reflected cross-site scripting vulnerability in LiteSpeed Cache the WPScan Vulnerability Database provided this proof of concept:
As admin, enter the following payload in the Domain Key setting of the plugin: </script><script>
Then open https://example.com/wp-admin/admin.php?page=litespeed-general&qc_res=</script><script>alert(/XSS/)</script>&domain_hash=541a0e1df04a2a5b7e4bd3472ff596cc
A reflected cross-site scripting (XSS) vulnerability wouldn’t involve an Administrator saving a setting.
Looking at the changes made in the version that was supposed to fix, we found that apparent relevant change was made to the function update_is_linked_status() in the file /src/cloud.cls.php. Where the file previously output the “qc_res” GET input without escaping:
1081 | echo "<script>window.history.pushState( 'remove_gen_link', document.title, window.location.href.replace( '&qc_res=" . $_GET[ 'qc_res' ] . "&domain_hash=" . $_GET[ 'domain_hash' ] . "', '' ) );</script>"; |
Before that runs, you need to have entered a valid domain key, which an attacker wouldn’t have, hence the proof of concept involving an Administrator entering a specific value first:
1072 1073 1074 1075 | if ( md5( substr( $this->_api_key, 2, 8 ) ) !== $_GET[ 'domain_hash' ] ) { Admin_Display::error( __( 'Domain Key hash mismatch', 'litespeed-cache' ), true ); return; } |
So there wasn’t really a vulnerability there.
Authenticated Stored Cross-Site Scripting in Testimonial Rotator
With a claimed authenticated stored cross-site scripting vulnerability in Testimonial Rotator, the WPScan Vulnerability Database made these claims:
Stored Cross-Site Scripting vulnerabilities in Testimonial Rotator 3.0.3 allow low privileged users (Contributor) to inject arbitrary JavaScript code or HTML without approval. This could lead to privilege escalation
Edit (WPScanTeam): The https://wordpress.org/plugins/themify-portfolio-post/ plugin also need to be installed for the issue to be exploited.
They claim to have a proof of concept, but have not shown it. Their only reference is a proof of concept video that doesn’t actually show this being exploited, as it starts to show that and then cuts to something different. We tried recreating what was shown, but it didn’t produce the claimed result and what we could see looked to be properly secured. By comparison, the other plugin mentioned there had a vulnerability and it was fixed.
Authenticated Path Traversal to Arbitrary File Access in Add From Server
With a claimed authenticated path traversal to arbitrary file access in the plugin Add From Server the report disagrees with itself, since it what files can be accessed is limited:
With this, i could travel all folders on server, move files with allowed-exension (jpg, xlsx, txt, zip, rar..) to upload folder to download later.
The developer has provided more details on why this isn’t really a vulnerability.
Authenticated Stored Cross-Site Scripting (XSS) in WP Google Map
With a claimed authenticated stored cross-site scripting (XSS) vulnerability in WP Google Map, the WPScan Vulnerability Database made this claim:
The plugin did not sanitise or escape the Map Title before outputting them in the page, leading to a Stored Cross-Site Scripting issue by high privilege users, even when the unfiltered_html capability is disallowed
No explanation of what the “high privilege users” would be. Looking at the code, the user has to be logged in as an Administrator:
16 | add_menu_page($this->plugin_name, $this->plugin_name, 'administrator', 'wpgmapembed', array( |
Administrators are normally allowed to do the equivalent of this.
Stored Cross Site Scripting in Typebot
With a claimed store cross site scripting vulnerability in Typebot there are multiple problems. The discoverer claims this existed in version 1.4.3 of the plugin, while the WPScan Vulnerability and Patchstack claim it was fixed in that version.
Looking into this, we found that first this wasn’t really a vulnerability since the attacker would need to be logged in as an Administrator.
If you still wanted to classify that as a vulnerability as other providers did, if you start following the proof of concept, you see that there was still a vulnerability as of the version WPScan and Patchstack said this was fixed. That is due to the plugin intentionally allowing JavaScript code to be added to pages with the option “Advanced setup (with code)”, which has this description ” Paste the code from “HTML & Js” in Typebot in the Share tab:”. So in version 1.4.3, you could still accomplish the proof of concept using that.
Confusingly, in a later version, entering JavaScript code in that setting is restricted, which seems like it would make the setting unusable, but the option still exists.