For feedback or questions about this advisory mail us at sumofpwn at securify.nl
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
This issue was successfully tested on WordPress Activity Log plugin version 2.3.1.
This issue has been fixed in version 2.3.2 of the WordPress Activity Log plugin. The updated plugin can be downloaded from the following location: https://downloads.wordpress.org/plugin/aryo-activity-log.2.3.2.zip.
The WordPress Activity Log plugin fails to sufficiently check input supplied to the X-Forwarded-For HTTP header and perform output encoding when the input is presented in a "wrong password event". As a result the malicious request will be stored in the Activity Log page, executing the payload when an unsuspecting user views this specific page.
An attacker can use this vulnerability to perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes or deliver malware.
Persistent Cross-Site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users (victims).
This vulnerability can be demonstrated by submitting an XFF header similar to the following:
POST /wp-login.php HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Accept-Encoding: gzip, deflate