WordPress W3 Total Cache Cross Site Scripting

Credit: Sipke Mellema
Risk: Low
Local: No
Remote: Yes

------------------------------------------------------------------------ Reflected Cross-Site Scripting vulnerability in W3 Total Cache plugin ------------------------------------------------------------------------ Sipke Mellema, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A Cross-Site Scripting vulnerability was found in the W3 Total Cache plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a URL provided by an attacker. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160719-0004 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on W3 Total Cache version ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue is resolved in W3 Total Cache version 0.9.5. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://sumofpwn.nl/advisory/2016/reflected_cross_site_scripting_vulnerability_in_w3_total_cache_plugin.html The issue exists in the file inc/options/support/form.php and is caused by the lack of output encoding on the request_id request parameter. The vulnerable code is listed below. <input type="hidden" name="request_type" value="<?php echo $request_type; ?>" /> <input type="hidden" name="request_id" value="<?php echo $request_id; ?>" /> <input type="hidden" name="payment" value="<?php echo $payment; ?>" /> Proof of concept Have an authenticated admin visit the URL: http://<target>/wp-admin/admin.php?page=w3tc_support&request_type=bug_report&request_id="><script>alert('sumofpwn.nl');</script> A pop-up box should appear, meaning the JavaScript contained in the request_id request parameter was executed by the browser. ------------------------------------------------------------------------ Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way.

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com


Back to Top