AUTHENTICATED REFLECTED XSS IN WP STATISTICS

A new reflected XSS vulnerability has been found in popular WordPress plugin WP Statistics version <=12.0.8.1 within days of discovery of SQL injection vulnerability in the same plugin by Sucuri which was patched immediately.

According to the Dewhurst blog, the ‘ip’ GET parameter on the ‘wps_visitors_page’ page is output to a page without first being validated, sanitised or output encoded. This leads to Authenticated Reflected Cross-Site Scripting (XSS), which could allow attackers to compromise a WordPress application by tricking an authenticated administrator user into clicking on a specially crafted link.

Please note that other potential instances of Authenticated XSS were identified, however, were protected by Cross-Site Request Forgery (CSRF) .

Technical Description

Source: On line 28 of the includes/log/last-visitor.php file, the $_GET[‘ip’] is placed within the $_get variable.

Sink: On line 74 of the includes/log/last-visitor.php file, the $_get variable is output in the PHP echo() function.

Source

POC

Visit the given below link  in the Firefox browser:

http://mywordpress.com/wp-admin/admin.php?page=wps_visitors_page&ip=%27%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E%3C%22

where put the name of the website you are testing in the above URL replacing mywordpress.com.

Then a fully weaponised XSS exploit was created that used the WordPress Theme Editor to insert a PHP backdoor into a WordPress site.

PREVENTION

Pass the $_get variable through WordPress  esc_attr() function. For example: $_get = esc_attr($_get);

Update the version to 12.0.9

Author: Cognore

Cyber Security Solution

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s