04 May

Vulnerability Details: Authenticated Persistent Cross-Site Scripting (XSS) in WordPress File Upload

From time to time a vulnerability in a plugin is disclosed without the discoverer putting out a complete report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

Recently we discussed a couple of false reports of persistent cross-site scripting (XSS) vulnerabilities in the plugin WordPress ...


Our Vulnerability Details posts provide the details of vulnerabilities we didn't discover and access to them is limited to customers of our service due to other security companies trying to sponge off the work needed to create those instead of doing their own work.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a WordPress plugin security researcher please contact us to get free access to all of our Vulnerability Details posts.

07 Feb

Vulnerability Details: Privilege Escalation Vulnerability in Accelerated Mobile Pages

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

A little less than a month ago the plugin Accelerated Mobile Pages was removed from the Plugin Directory for a ...


Our Vulnerability Details posts provide the details of vulnerabilities we didn't discover and access to them is limited to customers of our service due to other security companies trying to sponge off the work needed to create those instead of doing their own work.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a WordPress plugin security researcher please contact us to get free access to all of our Vulnerability Details posts.

16 Jan

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in WP GitHub Tools

Recently we were contacted by one of the users of our service, J.D. Grimes, who had found some possible vulnerabilities that involved shortcodes and a lack of escaping when passing data to the function wp_localize_script(). He was too busy to go further with them at the time and was wondering if we could take it from there in confirming them and getting in touch with the developers. One the impacted plugins was WP GitHub Tools.

The plugin registers the shortcode “chart” to call the function display_chart():

add_shortcode('chart', array( &$this, 'display_chart' ));

Here is the beginning of that function:

254
255
function display_chart($atts, $content = null){
	extract(shortcode_atts(array('repository' => '', 'id' => 'github_chart_'.WP_Github_Tools::$INDEX++, 'title' => '', 'width' => '', 'class' => '', 'height' => '300', 'color' => '#f17f49', 'background' => 'transparent', 'count' => 30), $atts));

The variable $att in that contains attributes that are included with a short code. The line that begins “extract” will set what is in the “id” to the variable $id in the function. That code doesn’t place any restriction on what can be user can cause $id to be set to or check if it is any way valid.

What J.D. was looking into when he came across the issue with this plugin, the second parameter in wp_localize_script() is directly output on the page, so the value needs to be properly secured, but that hasn’t happened in the last line of the function:

323
    wp_localize_script( 'WP_Github_Tools_Chart', $id, $data );

So anyone that can edit posts or pages can add a shortcode that includes malicious JavaScript code as the value of the “id” attribute and it will be output, which is a persistent cross-site scripting (XSS) vulnerability.

We notified the developer of the issue on December 11th, but we have yet to receive any response and the vulnerability has not been fixed.

Proof of Concept

The following shortcode will cause an alert box that says “XSS” to be shown on the front-end page when placed in a WordPress post or page:

[chart id=' test = "test"; alert("xss"); test' repository="test2"]

Timeline

  • December 11, 2017 – Developer notified.
16 Jan

Making Sure That Valid Values Are Provided For Shortcode Attributes Can Prevent Security Issues As Well Providing a Better Experience

One of the areas of WordPress plugins that has received additional attention when it comes to security recently has been shortcodes, as WordPress now allows anyone that is logged in to WordPress to access those. While that change has expanded the pool of people that might exploit an issue related to those, it was already the case that lower level users could access those and proper security should have been place, which hasn’t always been the case. Making sure things are done securely doesn’t just protect against vulnerabilities, but can provide a better experience for users, as can be seen with the plugin Power Charts.

Recently we were contacted by one of the users of our service, J.D. Grimes, who had found some possible vulnerabilities that involved shortcodes and another issue that we will get to in a moment. He was too busy to go further with them at the time and was wondering if we could take it from there in confirming them and getting in touch with the developers. One of the impacted plugins was Power Charts.

That plugin registers a couple of shortcodes that then call the function pc_shortcode():

28
29
add_shortcode( 'pc', array( &$this, 'pc_shortcode' ) );
add_shortcode( 'power-charts', array( &$this, 'pc_shortcode' ) );

Here is how that function looks as of version 0.1.0:

public function pc_shortcode( $atts ) {

	/* Get power charts attributes from the shortcode. */
	extract( shortcode_atts( array(
		'id'    => '',
		/*'group' => '',
		'num'   => '-1',
		'rnd'   => false,
		'no_excerpt' => '0',
		'no_company' => '0',
		'no_name' => '0',
		'no_image' => '0',
		'no_link' => '0',
		'render' => '',
		'template' => '',*/
	), $atts ) );

	$data = get_post_meta( $id, '_wpgo_power_charts_cpt_data', true );
	$chart_fixed_js = get_post_meta( $id, '_wpgo_power_charts_cpt_js', true );
	$chart_config_js = get_post_meta( $id, '_wpgo_power_charts_cpt_config_js', true );

	$css = get_post_meta( $id, '_wpgo_power_charts_cpt_css', true );
	$html = '<div class="pc-' . $id . ' wpgo-power-charts"></div>';
	$chart_js = "(function (){" . $chart_config_js . $chart_fixed_js;

	//echo "<pre>";
	//echo $chart_js;
	//echo "</pre>";

	// Only add chart scripts/styles to pages shortcode is used on
	wp_enqueue_script( 'wpgo-d3', $this->module_roots['uri'] . '/js/pcd3.js' , array(), '', true );
	wp_localize_script( 'wpgo-d3', 'pc_data_' . $id, $data );
	wp_add_inline_script( 'wpgo-d3', $chart_js );

	wp_enqueue_style( 'wpgo-power-charts', $this->module_roots['uri'] . '/css/power-charts.css' );
	wp_add_inline_style( 'wpgo-power-charts', $css );

	return html_entity_decode($html);
}

The variable $att in that contains attributes that are included with a short code. For example, if you wanted to show the chart with Chart ID 1 you would use this short code:

[power-charts id="1"]

The line that begins “extract” will set what is in the “id” to the variable $id in the function. That code doesn’t place any restriction on what can be user can cause $id to be set to or check if it is any way valid.

Where that becomes a security issue is that code will cause the value of the variable to be output in two locations, which can be used to cause persistent cross-site scripting to happen by including JavaScript code in the value.

The first line is more obvious, as the value is added to a variable $html:

$html = '<div class="pc-' . $id . ' wpgo-power-charts"></div>';

Which you can probably guess will be included the HTML code of the resulting page where the shortcode is used.

The second area is the one J.D. was looking into when he came across the issue with this plugin, which is in wp_localize_script():

wp_localize_script( 'wpgo-d3', 'pc_data_' . $id, $data );

The second parameter in that is directly output on the page, so the value needs to be properly secured, but that hasn’t happened here.

Since the value should only be an integer, limiting the value of $id to those would fix this. If the code then checked to make sure that a valid value was included and warned if it wasn’t, that could provide users with help if they have not correctly set up a shortcode.

We notified the developer of the issue on December 11th and the developer responded the same day that they were working on a fix, but the vulnerability has not been fixed so far.

Proof of Concept

The following shortcode will cause an alert box that says “XSS” to be shown on the front-end page when placed in a WordPress post or page:

[power-charts id='test= "1";alert("XSS"); var test2 ']

Timeline

  • December 11, 2017 – Developer notified.
  • December 11, 2017 – Developer responds.
16 Oct

Vulnerability Details: Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Starbox

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

What seems like a good reason for the Plugin Directory to be providing clearer information as to why plugins are ...


Our Vulnerability Details posts provide the details of vulnerabilities we didn't discover and access to them is limited to customers of our service due to other security companies trying to sponge off the work needed to create those instead of doing their own work.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a WordPress plugin security researcher please contact us to get free access to all of our Vulnerability Details posts.

24 Aug

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in FG Joomla to WordPress

While looking into an unrelated issue with the plugin FG Joomla to WordPress, we found that it contained an authenticated cross-site scripting (XSS) vulnerability.

The plugin has a number of actions that are run through the function ajax_importer(), which is accessed through WordPress’ AJAX functionality and is accessible to anyone logged in to WordPress (/includes/class-fg-joomla-to-wordpress.php):

184
$this->loader->add_action( 'wp_ajax_fgj2wp_import', $plugin_admin, 'ajax_importer' );

The function ajax_importer() located in the file /admin/class-fg-joomla-to-wordpress-admin.php didn’t do any capabilities check. For most actions that function passes the action request to the function dispatch():

228
$result = $this->dispatch($action);

In the function dispatch(), also located in the file /admin/class-fg-joomla-to-wordpress-admin.php, most of the actions check for a valid nonce, so under normal circumstances only Administrators could access them. One of the exceptions was saving the plugin’s settings:

307
308
309
310
311
// Save database options
case 'save':
	$this->save_plugin_options();
	$this->display_admin_notice(__('Settings saved', 'fg-joomla-to-wordpress'));
	break;

In addition, for other actions the saving of the settings also occurs and it occurred before the nonce check:

313
314
315
316
317
318
// Test the database connection
case 'test_database':
	// Save database options
	$this->save_plugin_options();
 
	if ( check_admin_referer( 'parameters_form', 'fgj2wp_nonce' ) ) { // Security check

The lack of a nonce check would also allow for cross-site request forgery (CSRF) to occur.

Before the settings are saved there is validation done, but for the “url” setting the sanitization done doesn’t prevent cross-site scripting (XSS):

937
$url = filter_input(INPUT_POST, 'url', FILTER_SANITIZE_URL);

Using FILTER_SANITIZE_URL will:

Remove all characters except letters, digits and $-_.+!*'(),{}|\\^~[]`<>#%”;/?:@&=.

That leaves the characters needed for cross-site scripting.

After we notified the developer of the issue they fixed each of the issues in version 3.31.0 .

They added a capabilities check:

211
212
213
public function ajax_importer() {
	$current_user = wp_get_current_user();
	if ( !empty($current_user) && $current_user->has_cap('import') ) {

They added a check for a valid nonce when using the save action (as well moving the saving of settings for other actions after the nonce check):

311
312
313
case 'save':
	if ( check_admin_referer( 'parameters_form', 'fgj2wp_nonce' ) ) { // Security check
		$this->save_plugin_options();

And added passing the “url” setting through the esc_url() function:

944
$url = esc_url(filter_input(INPUT_POST, 'url', FILTER_SANITIZE_URL));

Proof of Concept

The following proof of concept will cause an alert box with any accessible cookies to be shown on the page /wp-admin/admin.php?import=fgj2wp, when submitted while logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="fgj2wp_import" />
<input type="hidden" name="plugin_action" value="save" />
<input type="hidden" name="url" value='"><script>alert(document.cookie);</script>' />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • August 23, 2017 – Developer notified.
  • August 23, 2017 – Developer responds.
  • August 24, 2017 – Version 3.31.0, which fixes the vulnerability.
09 Jun

Authenticated Persistent Cross-Site Scripting (XSS) in WP Posts Carousel

Recently we found that the plugin WP Posts Carousel has an authenticated persistent cross-site scripting (XSS) vulnerability due to a lack of sanitation or escaping when shortcode attributes are output in Javascript code generated by the plugin.

For example, the “dots_speed attribute is added to the output with the following line in the file /carousel-generator.class.php:

456
dotsSpeed: ' . $params['dots_speed'] . ',

Before that the value pass through several locations without any sanitization.

It starts as one of the value in $att in the function that is called by the shortcode, in the file /shortcode-decode.class.php:

15
16
public static function initialize($atts, $content = null, $code = "") {
    return WpPostsCarouselGenerator::generate($atts);

In the generate() function it gets placed in the $params variable after being passed through the function prepareSettings(), which doesn’t impact it (both of those are in the file /carousel-generator.class.php):

72
73
74
75
76
77
78
public static function generate($atts) {
    global $post;
 
    /*
     * default parameters
    */
    $params = self::prepareSettings($atts);

We notified the developer of the vulnerability nearly three week ago, but haven’t heard back from them and the vulnerability has yet to be fixed.

Proof of Concept

The following proof of concept will cause an alert box with any accessible cookies to be shown on the relevant post or page.

When logged in as a user that can save posts and pages, add the following shortcode to a post or page:

[wp_posts_carousel template="compact.css" post_types="post" all_items="10" show_only="id" exclude="" posts="" ordering="asc" categories="" relation="and" tags="" show_title="true" show_created_date="true" show_description="false" allow_shortcodes="false" show_category="true" show_tags="false" show_more_button="true" show_featured_image="true" image_source="thumbnail" image_height="100" image_width="100" items_to_show_mobiles="1" items_to_show_tablets="2" items_to_show="4" slide_by="1" margin="5" loop="true" stop_on_hover="true" auto_play="true" auto_play_timeout="1200" auto_play_speed="800" nav="true" nav_speed="800" dots="true" dots_speed="800,});alert(document.cookie);wpPostsCarousel1995130008.owlCarousel({loop: false" lazy_load="false" mouse_drag="true" mouse_wheel="true" touch_drag="true" easing="linear" auto_height="true" custom_breakpoints=""]

Timeline

  • May 22, 2017 – Developer notified.
10 Apr

Vulnerability Details: Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in YOP Poll

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed (in some cases not fixed at all) and help to identify additional vulnerabilities in ...


Our Vulnerability Details posts provide the details of vulnerabilities we didn't discover and access to them is limited to customers of our service due to other security companies trying to sponge off the work needed to create those instead of doing their own work.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a WordPress plugin security researcher please contact us to get free access to all of our Vulnerability Details posts.

13 Feb

Vulnerability Details: Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in BP Better Messages

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed (in some cases not fixed at all) and help to identify additional vulnerabilities in ...


Our Vulnerability Details posts provide the details of vulnerabilities we didn't discover and access to them is limited to customers of our service due to other security companies trying to sponge off the work needed to create those instead of doing their own work.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a WordPress plugin security researcher please contact us to get free access to all of our Vulnerability Details posts.

03 Feb

Vulnerability Details: Authenticated Persistent Cross-Site Scripting (XSS) in Watu

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed (in some cases not fixed at all) and help to identify additional vulnerabilities in ...


Our Vulnerability Details posts provide the details of vulnerabilities we didn't discover and access to them is limited to customers of our service due to other security companies trying to sponge off the work needed to create those instead of doing their own work.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a WordPress plugin security researcher please contact us to get free access to all of our Vulnerability Details posts.