Persistent XSS flaws patched in multiple WordPress plugins

In addition to the All-in-One SEO plugin, WordPress administrators should update others that also have a cross-site scripting flaw

Earlier this week, WordPress administrators were urged to update to the popular All-in-One SEO plugin to address a persistent cross-site scripting vulnerability. But other widely used plugins also need updating.

The plugin model for WordPress is simultaneously the platform’s greatest asset and biggest vulnerability. Administrators can happily search the rich ecosystem of plugins and find all manner of advanced features and functionality to enhance their WordPress sites. Once downloaded, these plugins are easy to install. However, the plugins are frequently poorly coded or not regularly updated, exposing WordPress sites to potential web attacks. WordPress itself is a pretty stable platform, but WordPress sites are frequently compromised because the attackers uncover a vulnerability in one of the plugins.

It turns out All-in-One wasn’t the only vulnerable plugin found by Summer of Pwnage, a Dutch community project working on uncovering vulnerabilities in popular applications. The project posted advisories on a dozen or so other XSS vulnerabilities in widely used WordPress plugins this week.

The WP Fastest Cache WordPress plugin creates static HTML files from dynamic WordPress pages. A local file inclusion vulnerability in this plugin can be exploited to run arbitrary PHP code. Attackers must place an arbitrary PHP file on the target system in order to exploit the vulnerability. The issue is in /admin/partials/menu/options.php and is caused by the lack of input validation on the id POST parameter.

WP Live Chat Support turns on the chat function on the WordPress site. The persistent XSS flaw in WP Live Chat Support is similar to the one found in All-in-One SEO in that attackers can inject malicious JavaScript code into the application, which executes within the victim’s browser with the privileges of the logged-in WordPress user. The attacker can exploit the flaw to steal a victim’s session tokens and login credentials, executing code, and logging keystrokes.

The plugin uses the Referer header to present the current page on which the chat is initiated to back-end users, but the URL retrieved from the data isn’t properly output encoded according to output context. Stored XSS flaws are typically more serious because they do not need to be delivered separately to the users. The victim -- potentially the logged-in Administrator -- only has to view wplivechat-menu page to execute the malicious code. Administrators should update to Version 6.2.02.

Another stored XSS vulnerability was found in the WordPress Activity Log plugin, which allows administrators to monitor and track site activity. An unauthenticated attacker would be able to inject malicious JavaScript code into the application, which will then execute within the browser of any logged-in user who views the Activity Log. The Activity Log plugin fails to sufficiently check input supplied to the X-Forward-for HTTP header and perform output encoding when an incorrect password is entered. The malicious request gets stored in the Activity Log on the wp-admin page and executes every time someone views the page.

Attackers would be able to steal victims’ session tokens and login credentials, log keystrokes, perform arbitrary actions in the context of the user, and deliver malware. Administrators should update to Version 2.3.2.

The remaining plugins on this list had a cross-site scripting vulnerability that would allow an attacker to perform a variety of actions, such as stealing Administrator session tokens and performing arbitrary actions on the website with Administrator privileges.The flaws could be exploited by tricking WordPress administrators who were logged in to open a malicious site. 

All-in-One was vulnerable because the plugin failed to properly sanitize the requests, which let attackers inject malicious JavaScript code in the request headers. The vulnerability in all the other plugins was the result of a lack of output encoding on the page request parameter.

Not sanitizing inputs and outputs is a common enough mistake in coding. WordPress normally validates this parameter to shut down cross-site scripting, but didn’t in these instances because of the way the parameter value was set.

  • The Top 10-Popular Posts plugin tracks daily and total visits for blog posts and displays the number of visits for popular and trending posts. The issue exists in the file class-stats.php. Anyone using the Top 10 plugin should update to Version 2.3.1.
  • The WP No External Links plugin masks all external links across all the pages by making them internal or hiding them altogether. The issue is in the wp-noexternallinks-options.php file. Anyone using the WP No External Links plugin should update to Version 3.5.16.
  • The Google forms plugin embeds a published, public Google Form into a WordPress page or widget. The issue is in file wpgform-logging.php. Anyone using the Google Forms plugin should update to Version 0.85.
  • The Simple Membership WordPress plugin lets administrators set up the ability to have users sign in and out of the website and restrict access to certain pieces of content. The flaw existed in multiple files, including class.swpm-members.php, class.swpm-membership-levels.php, admin_members_list.php, and admin_all_payment_transactions.php. WordPress administrators using Simple Membership should update to Version 3.2.9.
  • The Profile Builder WordPress plugin provides WordPress administrators with a front-end login, user registration page, and a way to edit user profiles. The issue is in the file class-email-confirmation.php, which found issues where an attacker put a benign page value in the URL. Administrators should update to Version 2.4.2.
  • MailChimp is a widely popular email marketing platform. The Easy Forms for MailChimp WordPress plugin lets users add unlimited MailChimp signup forms to different parts of a WordPress site, including posts, pages, sidebars, and other widgetized areas. Administrators should update to Version 6.1.
  • Master Slider is a responsive image and content slider that gives users a smooth hardware accelerated transition. The plugin supports touch navigation with a pure swipe gesture. Administrators should use Master Slider Version 2.8.0.
  • Email Users lets WordPress administrators send email to all registered users. The issue exists in the file email_users_user_settings.php. Administrators using the plugin should update to Version 4.8.3.

Attackers like to target WordPress sites through vulnerabilities in third-party plugins. Plenty of administrators neglect to patch the CMS. Even those diligent about staying on top of the core updates may forget to update the plugins, or opt not to because they don't want the updated plugins to break existing functionality.

When plugins are no longer being actively maintained, the administrator may decide to keep using the plugin instead of looking for an alternative. There are many reasons for still using outdated plugins, but the bottom line is that they provide attackers with a simple way to compromise and seize control of the WordPress site.

Copyright © 2016 IDG Communications, Inc.