Advisory

Yorick Koster, July 2016

Cross-Site Scripting in Store Locator Plus for WordPress

Abstract

A Cross-Site Scripting vulnerability was found in Store Locator Plus for WordPress. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

OVE ID

OVE-20160724-0025

Tested versions

This issue was successfully tested on Store Locator Plus for WordPress version 4.5.09.

Fix

This issue has been addressed in Store Locator Plus for WordPress version 4.5.12.

Introduction

Store Locator Plus for WordPress is a location mapping and directory system with over 10,000 active installations. A Cross-Site Scripting vulnerability was found in Store Locator Plus for WordPress. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf.

Details

This issue exists in the file include/class.admin.locations.add.php and is caused due to the lack of output encoding on the start request parameter.

$this->section_params['opening_html'] =
   "<form id='manualAddForm' name='manualAddForm' method='post'>" .
   ( $this->adding ? '<input type="hidden" id="act" name="act" value="add" />' : '<input type="hidden" id="act" name="act" value="edit" />' ) .
   "<input type='hidden' name='id' " .
   "id='id' value='{$this->slplus->currentLocation->id}' />" .
   "<input type='hidden' name='locationID' " .
   "id='locationID' value='{$this->slplus->currentLocation->id}' />" .
   "<input type='hidden' name='linked_postid-{$this->slplus->currentLocation->id}' " .
   "id='linked_postid-{$this->slplus->currentLocation->id}' value='" .
   $this->slplus->currentLocation->linked_postid .
   "' />" .
   ( isset( $_REQUEST['start'] ) ? "<input type='hidden' name='start' id='start' value='{$_REQUEST['start']}' />" : '' ) .
   "<a name='a{$this->slplus->currentLocation->id}'></a>";

   
In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

Proof of concept

http://<target>/wp-admin/admin.php?page=slp_manage_locations&start=%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

Work with us →