Software: Citizen Space
Advisory report: https://security.dxw.com/advisories/reflected-xss-in-citizen-space-allows-attackers-to-view-sensitive-information-of-the-attackers-choosing/
CVE: Awaiting assignment
CVSS: 6.4 (Medium; AV:N/AC:L/Au:N/C:P/I:P/A:N)
Reflected XSS in Citizen Space allows attackers to view sensitive information of the attacker?s choosing
It is possible to request pages that will run the attackers choice of WordPress short code and display any content of the attackers choosing. This allows the attacker to view extremely sensitive data, to create content, to access forms that have been disabled and to greatly aid the exploitation of other plugins.
This can also be exploited to perform simple cross site scripting attacks (XSS) by injecting html onto pages, if a user can be tricked into following a link constructed by the attacker. This could be used e.g. to damage the reputation of the site or another entity, or to trick the user into installing malicious software
Citizen Space looks at all urls requested on the site to see if they contain ?cs_consultation? anywhere in the url including in the parameters. It then looks for the parameter path in the url, if it is found it appends into post_content with out sanitising it
$post->post_content= \'[citizenspace_consultation url=\"\'.$_GET[\'path\'].\'\"]\';
Proof of concept
Assuming a site running on localhost, making this request will inject [shortcodehere] into the page.
Disable and remove the plugin. The plugin authors (Delib) have deprecated the plugin and removed it from the plugin directory. They no longer recommend it as a way of integrating Citizen Space with WordPress:
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on firstname.lastname@example.org to acknowledge this report if you received it via a third party (for example, email@example.com) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
2015-03-04: CVE requested
2015-03-05: Reported to vendor by email
2015-03-12: Confirmed plan for deprecation
2015-03-31:Plugin confirmed deprecated and removed from WP.org.
Discovered by dxw:
Please visit security.dxw.com for more information.