Login

Tag Archives: Persistent Cross-Site Scripting (XSS)

3 Oct 2016

Persistent Cross-Site Scripting (XSS) Vulnerability in WP Quick Booking Manager

One of the things we do to make sure we are providing our customers with the best data on the vulnerabilities that exist and are being exploited in WordPress plugins is to monitor our websites for hacking attempts. Through that we have found a quite a few vulnerabilities that exist in the current versions of plugins that it looks like hackers have already started exploiting. In the most recent case though we are still not quite sure what the hacker was targeting. Recently we found a hacker probing for usage of the plugin WP Quick Booking Manager, along with five other plugins at the same time. As we started looking over the plugins, one connection we found was that they all contained code that looked susceptible to SQL injections. For this plugin we then noticed another security vulnerability, a persistent cross-site scripting (XSS) vulnerability, that looks to be easier to exploit and that type of vulnerability is more often targeted (though usually with plugin with a lot more active installations than this one).

In the file /scbooking.php the function gen_save_cssfixfront() is made accessible to those not logged in through WordPress’ AJAX functionality: [Read more]

3 Oct 2016

Persistent Cross-Site Scripting (XSS) Vulnerability in EventCommerce WP Event Calendar

One of the things we do to make sure we are providing our customers with the best data on the vulnerabilities that exist and are being exploited in WordPress plugins is to monitor our websites for hacking attempts. Through that we have found a quite a few vulnerabilities that exist in the current versions of plugins that it looks like hackers have already started exploiting. In the most recent case though we are still not quite sure what the hacker was targeting. Recently we found a hacker probing for usage of the plugin EventCommerce WP Event Calendar, along with five other plugins at the same time. As we started looking over the plugins, one connection we found was that they all contained code that looked susceptible to SQL injections. For this plugin we then noticed another security vulnerability, a persistent cross-site scripting (XSS) vulnerability, that looks to be easier to exploit and that type of vulnerability is more often targeted (though usually with plugin with a lot more active installations than this one).

In the file /evntgen-scbooking.php the function evntgen_save_cssfixfront() is made accessible to those not logged in through WordPress’ AJAX functionality: [Read more]

3 Oct 2016

Persistent Cross-Site Scripting (XSS) Vulnerability in WordPress Appointment Schedule Booking System

One of the things we do to make sure we are providing our customers with the best data on the vulnerabilities that exist and are being exploited in WordPress plugins is to monitor our websites for hacking attempts. Through that we have found a quite a few vulnerabilities that exist in the current versions of plugins that it looks like hackers have already started exploiting. In the most recent case though we are still not quite sure what the hacker was targeting. Recently we found a hacker probing for usage of the plugin WordPress Appointment Schedule Booking System, along with five other plugins at the same time. As we started looking over the plugins, one connection we found was that they all contained code that looked susceptible to SQL injections. For this plugin we then noticed another security vulnerability, a persistent cross-site scripting (XSS) vulnerability, that looks to be easier to exploit and that type of vulnerability is more often targeted (though usually with plugin with a lot more active installations than this one).

In the file /appointgen-scappointment.php the function appointgen_save_cssfixfront() is made accessible to those not logged in through WordPress’ AJAX functionality: [Read more]

6 Sep 2016

Persistent Cross-Site Scripting (XSS) Vulnerability in 404 to 301

One of the things we think is important when disclosing vulnerabilities in WordPress plugins is to provide the details so that others can review those, that isn’t a view held by everyone as one WordPress security companies has been holding back details while claiming to put the WordPress community first. There are a number of reason we feel that is important, starting with the fact that we often find vulnerabilities haven’t actually been fixed, which is easy to spot and then get fixed if you can see all of the details. Another reason is that we have often seen that upon reviewing the vulnerability report someone will spot an additional security issue in the same plugin. Having the details also can allow for spotting the same type of vulnerability in other plugins. The final two came together recently for us to spot a minor persistent cross-site scripting (XSS) vulnerability in the plugin 404 to 301 and suggest further improvement to their securing user input brought in to the plugin.

The report that made us look into this was from Louis Dion-Marcil of a related persistent cross-site scripting (XSS) vulnerability. While checking over that to add to our data set we noticed that there was still a more limited issue. The original vulnerability could have allowed malicious JavaScript to run when just visiting the plugin’s admin page. From seeing a number of other reports we were aware that there is potential this type of vulnerability by creating a link that runs JavaScript, for example,  “javascript:alert(“XSS”);” and found that it could be implemented in a referer user input in the plugin. The limit of that here is not only do you have click on the link, but the malicious code would be visible before clicking the link: [Read more]

29 Aug 2016

Persistent Cross-Site Scripting (XSS) Vulnerability in WP-Piwik

As we continue to review old third-party data on hacking attempts to identity more vulnerabilities that hackers have likely already discovered in WordPress plugins we spotted a persistent cross-site scripting (XSS) vulnerability in the plugin WP-Piwik.

Back in January a request was made for the file /wp-content/plugins/wp-piwik/js/wp-piwik.js, for what was may have been a probe for usage of the plugin before exploiting it. Looking over that plugin for any obvious issues we found that as of version 1.0.9 anyone (even if they were not logged in) can change the plugin’s settings and through those settings they could add malicious JavaScript code to the website’s page. [Read more]

18 Jul 2016

Persistent Cross-Site Scripting (XSS) Vulnerability in Total Security

We were recently doing some basic security checks over WordPress security plugins and identified a possible issue in the plugin Total Security. While the issue we first were looking into turn out to not be exploitable, we noticed a couple of other security vulnerabilities in the plugin. The first one is a persistent cross-site scripting (XSS) vulnerability that is in the 404 log feature, which is disabled by default, due to lack of proper handling of user input data.

While it seems pretty bad that a security plugin has security vulnerabilities of its own, what is more incredible is the response from the developer. It took them 5 days to get back to us and at that point it doesn’t even look like they have really looked over the information we provided them, since they were asking what the solution to the vulnerabilities despite much of that being provided in a link we had included in original message. Yesterday, 17 days later, they released a new version of the plugin, 3.3.8, which didn’t fix either of the vulnerabilities. Oddly the version available before that was 3.4, so they move backed versions as well. [Read more]

13 Jul 2016

Protecting You Against Wordfence’s Bad Practices: XSS Vulnerability in All in One SEO Pack

Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause.

The latest in our ongoing series of putting out the details of details of vulnerabilities discovered by Wordfence is good example of why what Wordfence is doing is hurting the security of WordPress plugins. In this case they saw a report of  a persistent cross-site scripting (XSS) vulnerability in the plugin All in One SEO Pack and discovered a similar vulnerability, which is something that often happens we security researchers see reports of vulnerabilities in plugins. The difference is that with that report, like other reports by responsible parties, it included the details of the vulnerabilities, so it was easy for Wordfence to see what the issue was in that case. By Wordfence excluding those details it makes it harder to do the same with vulnerabilities that they have discovered, but through our work on this we have already found two additional security vulnerabilities in the Yoast SEO plugin and one in the WP Fastest Cache plugin. [Read more]

22 Jun 2016

Persistent Cross-Site Scripting (XSS) Vulnerability in WordPress File Monitor

Recently we have been catching a lot of vulnerabilities in plugins by looking at what appear to be hackers probing for usage of plugins on our websites and looking through the plugins for security vulnerabilities. Due to the success of that we are looking for more data on that type of probing so that we can catch more vulnerabilities, so that we can warn our customers about security issues in plugins they might be using and also to limit the impact those vulnerabilities can have on others as well. Through that we came across a request for the plugin WordPress File Monitor. That is a security plugin designed to monitor for file changes, which we found has security vulnerability that would allow a hacker to cause file changes they made to be ignored and more importantly allows for persistent cross-site scripting (XSS).

The problem starts with a request for the URL /wp-admin/options-general.php?page=WordPressFileMonitor&display=alertDesc, when that is requested the following code is run: [Read more]

7 Jun 2016

Persistent Cross-Site Scripting (XSS) Vulnerability in Royal Gallery

The Royal Gallery plugin has a persistent cross-site scripting (XSS) vulnerability (and possibly other security issues) as of version 2.3. The details of the underlying issue that causes this can be found in our post for the same vulnerability in the plugin Flip Slideshow, which shares the same vulnerable code.

Proof of Concept

The following proof of concept will cause an alert box with any accessible cookies to be shown on the page /wp-admin/admin.php?page=splendidgallery_settings. [Read more]

7 Jun 2016

Persistent Cross-Site Scripting (XSS) Vulnerability in Flip Slideshow

The Flip Slideshow plugin has a persistent cross-site scripting (XSS) vulnerability (and possibly other security issues) as of version 2.2.

Due to a issue with code shared among several plugins, which we first found in the  Vertical Slideshow plugin, functions intended for Administrator level users in this plugin are accessible to anyone (even if they are not logged in). One of those is save_flp_settings(), which saves values for the plugin’s settings: [Read more]