------------------------------------------------------------------------
Cross-Site Scripting in Store Locator Plus for WordPress
------------------------------------------------------------------------
Yorick Koster, July 2016
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in Store Locator Plus for
WordPress. This issue allows an attacker to perform a wide variety of
actions, such as stealing Administrators' session tokens, or performing
arbitrary actions on their behalf. In order to exploit this issue, the
attacker has to lure/force a logged on WordPress Administrator into
opening a malicious website.
------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0025
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Store Locator Plus for WordPress
version 4.5.09.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been addressed in Store Locator Plus for WordPress
version 4.5.12.
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_store_locator_plus_for_wordpress.html
This issue exists in the file include/class.admin.locations.add.php and is caused due to the lack of output encoding on the start request parameter.
$this->section_params['opening_html'] =
"<form id='manualAddForm' name='manualAddForm' method='post'>" .
( $this->adding ? '<input type="hidden" id="act" name="act" value="add" />' : '<input type="hidden" id="act" name="act" value="edit" />' ) .
"<input type='hidden' name='id' " .
"id='id' value='{$this->slplus->currentLocation->id}' />" .
"<input type='hidden' name='locationID' " .
"id='locationID' value='{$this->slplus->currentLocation->id}' />" .
"<input type='hidden' name='linked_postid-{$this->slplus->currentLocation->id}' " .
"id='linked_postid-{$this->slplus->currentLocation->id}' value='" .
$this->slplus->currentLocation->linked_postid .
"' />" .
( isset( $_REQUEST['start'] ) ? "<input type='hidden' name='start' id='start' value='{$_REQUEST['start']}' />" : '' ) .
"<a name='a{$this->slplus->currentLocation->id}'></a>";
In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
Proof of concept
http://<target>/wp-admin/admin.php?page=slp_manage_locations&start=%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.