28 Apr

Reflected Cross-Site Scripting (XSS) Vulnerability in WP Statistics

A couple of days ago we started to look into a series of releases (12.0.2-12.0.5) of the plugin WP Statistics that were indicated to have fixed cross-site scripting (XSS) vulnerabilities. While there were a couple of advisories put out related to this, those didn’t include the details needed to confirm that vulnerabilities had existed and had been fixed. When we started testing things out to figure out exactly what was going on, we accidentally ran across yet another XSS vulnerability, this time a reflected XSS vulnerability.

While that is a minor vulnerability, it probably isn’t the best sign of the security of that plugin that we could stumble on to yet another vulnerability. Considering that this is a plugin with 300,000+ active installs according to wordpress.org, it also isn’t a good sign as to the security of WordPress plugins in general.

The issue started in the file /includes/log/page-statistics.php where the value of the GET input “page-uri” is set to the variable $pageuri without being sanitized:

7
if( array_key_exists( 'page-uri', $_GET ) ) { $pageuri = $_GET['page-uri']; } else { $pageuri = null; }

That variable is then added to the variable $urlfields:

20
if( $pageuri ) { $urlfields .= "&page-uri={$pageuri}"; }

And the second variable is passed to the function wp_statistics_date_range_selector():

29
wp_statistics_date_range_selector( WP_STATISTICS_PAGES_PAGE, $daysToDisplay, null, null, $urlfields );

From there in the file /includes/functions/functions.php the value was output unescaped on line 972:

echo 'href="?page=' . $page . '&hitdays=' . $range[$i] . $extrafields . '">' . $desc[$i] . '</a></li>';

And on line 988:

echo '<input type="hidden" name="' . $key . '" value="' . $value . '">';

In version 12.0.6 both of those instances where it is output now pass the value through the escaping function esc_url():

echo 'href="?page=' . $page . '&hitdays=' . $range[$i] . esc_url($extrafields) . '">' . $desc[$i] . '</a></li>';
echo '<input type="hidden" name="' . $key . '" value="' . esc_url($value) . '">';

Proof of Concept

The following proof of concept will cause any available cookies to be shown in alert box. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin.php?page=wps_pages_page&page-uri=%3F%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E

Timeline

  • February 26, 2017 – Developer notified.
  • February 28, 2017 – Version 12.0.6 released, which fixes vulnerabilities.
26 Apr

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Ultimate Form Builder Lite

To provide our customers with the best information possible on vulnerabilities that have been in WordPress plugins they use, we create posts, like this one, which include the details of vulnerabilities for which the discoverer has not released a report with those details already. That allows our customers to better understand how the vulnerability had or could have impacted their website.

For existing customers, please log in to your account to view the details of this vulnerability.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

21 Apr

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Simple Job Board

To provide our customers with the best information possible on vulnerabilities that have been in WordPress plugins they use, we create posts, like this one, which include the details of vulnerabilities for which the discoverer has not released a report with those details already. That allows our customers to better understand how the vulnerability had or could have impacted their website.

For existing customers, please log in to your account to view the details of this vulnerability.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

03 Apr

Reflected Cross-Site Scripting (XSS) Vulnerability in Contact Form 7 Database

One of the ways we keep track of vulnerabilities in WordPress plugins is by monitoring the wordpress.org Support Forum as that is sometimes where vulnerabilities are disclosed. As far as we can tell we are alone in doing this, so if you are relying on another data source for your plugin vulnerability data you are most likely not going to be warned about those. One recent vulnerability we came across through that is a persistent cross-site scripting (XSS) vulnerability in the plugin Contact Form 7 Database. While looking into that we noticed that the plugin also has a reflected cross-site scripting (XSS) vulnerability.

When using the search function on the plugin’s admin page the value searched for, in the form of the GET input “search”, is echo’d without being escaped on line 11 of the file /admin/search.php:

<input value="<?php echo ((isset($_GET['search'])) ? $_GET['search'] : ''); ?>" type="text" class="" id="cf7d-search-q" placeholder="<?php echo _e('Type something...'); ?>" id="" />

Proof of Concept

The following proof of concept will cause any available cookies to be shown in alert box. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin.php?page=cf7-data&search="><script>alert(document.cookie);</script>

Timeline

  • March 27, 2017 – Developer notified.
  • April 3, 2017 – WordPress.org Plugin Directory notified.
  • April 3, 2017 – Plugin removed from WordPress.org Plugin Directory.
29 Mar

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in CopySafe PDF Protection

To provide our customers with the best information possible on vulnerabilities that have been in WordPress plugins they use, we create posts, like this one, which include the details of vulnerabilities for which the discoverer has not released a report with those details already. That allows our customers to better understand how the vulnerability had or could have impacted their website.

For existing customers, please log in to your account to view the details of this vulnerability.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

27 Mar

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in WHIZZ

To provide our customers with the best information possible on vulnerabilities that have been in WordPress plugins they use, we create posts, like this one, which include the details of vulnerabilities for which the discoverer has not released a report with those details already. That allows our customers to better understand how the vulnerability had or could have impacted their website.

For existing customers, please log in to your account to view the details of this vulnerability.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

28 Feb

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Raygun4WP

To provide our customers with the best information possible on vulnerabilities that have been in WordPress plugins they use, we create posts, like this one, which include the details of vulnerabilities for which the discoverer has not released a report with those details already. That allows our customers to better understand how the vulnerability had or could have impacted their website.

For existing customers, please log in to your account to view the details of this vulnerability.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

28 Feb

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Zibbra

To provide our customers with the best information possible on vulnerabilities that have been in WordPress plugins they use, we create posts, like this one, which include the details of vulnerabilities for which the discoverer has not released a report with those details already. That allows our customers to better understand how the vulnerability had or could have impacted their website.

For existing customers, please log in to your account to view the details of this vulnerability.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

28 Feb

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in AuMenu

To provide our customers with the best information possible on vulnerabilities that have been in WordPress plugins they use, we create posts, like this one, which include the details of vulnerabilities for which the discoverer has not released a report with those details already. That allows our customers to better understand how the vulnerability had or could have impacted their website.

For existing customers, please log in to your account to view the details of this vulnerability.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.