WordPress Store Locator Plus 4.5.09 Cross Site Scripting
Posted on 07 August 2016
------------------------------------------------------------------------ Cross-Site Scripting in Store Locator Plus for WordPress ------------------------------------------------------------------------ Yorick Koster, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A Cross-Site Scripting vulnerability was found in Store Locator Plus for WordPress. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160724-0025 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on Store Locator Plus for WordPress version 4.5.09. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue has been addressed in Store Locator Plus for WordPress version 4.5.12. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_store_locator_plus_for_wordpress.html This issue exists in the file include/class.admin.locations.add.php and is caused due to the lack of output encoding on the start request parameter. $this->section_params['opening_html'] = "<form id='manualAddForm' name='manualAddForm' method='post'>" . ( $this->adding ? '<input type="hidden" id="act" name="act" value="add" />' : '<input type="hidden" id="act" name="act" value="edit" />' ) . "<input type='hidden' name='id' " . "id='id' value='{$this->slplus->currentLocation->id}' />" . "<input type='hidden' name='locationID' " . "id='locationID' value='{$this->slplus->currentLocation->id}' />" . "<input type='hidden' name='linked_postid-{$this->slplus->currentLocation->id}' " . "id='linked_postid-{$this->slplus->currentLocation->id}' value='" . $this->slplus->currentLocation->linked_postid . "' />" . ( isset( $_REQUEST['start'] ) ? "<input type='hidden' name='start' id='start' value='{$_REQUEST['start']}' />" : '' ) . "<a name='a{$this->slplus->currentLocation->id}'></a>"; In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website. Proof of concept http://<target>/wp-admin/admin.php?page=slp_manage_locations&start=%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E ------------------------------------------------------------------------ Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way.
