g0blin Research

Follow @g0blinResearch

YOP Poll 5.7.3, Reflected XSS

The YOP Poll plugin exposes a number of AJAX requests to the public (see lines 15-40 in th efile yop-poll/inc/admin.php). An XSS vulnerability has been found in at least one of these functions – namely yop_poll_set_wordpress_vote. This function is available to both registered and non-registered users. The fields that are vulnerable are Base64 encoded (see lines 859 to 912 of yop-poll/inc/admin.php), meaning any attacks performed will bypass not only the auto-escaping on quotes performed by WordPress/PHP, but also any XSS-prevention methods implemented by browsers.

Homepage

https://wordpress.org/plugins/yop-poll/

CVSS Score

5

CSSS Vector

(AV:N/AC:L/Au:N/C:N/I:P/A:N)

Attack Scope

remote

Authorization Required

None

Mitigation

Update to version 5.7.4.

Proof of Concept

http://localhost/wp-admin/admin-ajax.php?action=yop_poll_set_wordpress_vote&poll_id=JzthbGVydCgxKTsn

When the above URL is visited, an alert will be presented to the user. Note, the original value of the ‘poll_id’ field is ‘;alert(1);’, including single quotes.

Timeline

  • 2015-05-14: Discovered
  • 2015-05-14: Vendor notified
  • 2015-05-14: Vendor responded
  • 2015-05-16: Vendor provided code for review – issue appears resolved in proposed update
  • 2015-06-17: Vendor notified of pending email to WordPress Plugins team for plugin removal
  • 2015-06-17: Vendor stated that release of update was delayed, but that an update has now been released
  • 2015-06-24: Vendor queried over update – still seeing vulnerable version as most recent version
  • 2015-06-24: Vendor responds that we’re mistaken – states 5.7.3 is patched
  • 2015-06-25: Version 5.7.3 re-tested, and is confirmed as vulnerable to the original PoC. Update requested from vendor. One week given until notification of WordPress Plugins team due to lack of adequate response
  • 2015-06-26: Vendor states that the issue will be looked in to – communication error between Development and Support
  • 2015-06-29: Vendor states that version 5.7.4 is pending release
  • 2015-07-01: Version 5.7.4 released – issue resolved
  • 2015-07-08: Advisory released