The executive dashboard in WordPress is a fairly secure place: Solely elevated customers can entry it. Exploiting a plugin’s admin panel would serve little or no goal right here — an administrator already has the required permissions to do the entire actions a vulnerability might trigger.
Whereas that is often true, there are a selection of methods dangerous actors are utilizing to trick an administrator into performing actions they might not anticipate, comparable to Cross Site Request Forgery (CSRF) or Clickjacking assaults. By utilizing these methods, an attacker can exploit a vulnerability on the behalf of an administrator — probably making a minor challenge a significant safety drawback.
An attacker can exploit these vulnerabilities by having an administrator go to a hyperlink — and even view a picture — by utilizing a particularly crafted payload particular to the focused web site.
On this put up, we’ll reveal many vulnerabilities we’ve discovered having an analogous supply, all of which result in a mirrored XSS in administrative pages.
Here’s a checklist of plugins which had been susceptible to this assault:
Delicate actions on an internet site must be protected utilizing all kinds of methods: permission checks, nonces, secrets and techniques, and extra. Locations generally neglected when it comes to safety are pages which don’t set off actions, comparable to plugin settings or overview pages.
What we found is that each one of those plugins had quite a lot of the identical drawback: They belief the browser URL to include solely legitimate info, whereas not utilizing different mechanisms to sanitize or validate the info it incorporates. As the info was not correctly sanitized, it at all times led to a mirrored XSS vulnerability the place malicious code may very well be executed on the behalf of the consumer.
Since there are a number of variants of the vulnerability on every of those plugins, let’s see the standard state of affairs: The susceptible settings web page.
Settings pages incessantly have a number of tabs which break up the data by class. To tell apart which of those tabs is presently getting used, these plugins typically use the tab request argument to conditionally render completely different sections of the web page.
Here’s a susceptible pattern:
On this state of affairs, by utilizing $activeTab as a price, class, or by rendering it wherever with out sanitizing it, we get a mirrored XSS utilizing the tab argument.
Lastly, to take advantage of this XSS, all we have to do is ship an administrator a hyperlink to the settings web page with our payload within the tab argument:
http://web site.invalid.com/wp-admin/options-general.php?web page=plugin-settings&tab="><script>alert(doc.area)</script>
Because the hyperlink is for a similar web site, an unsuspecting administrator could be tempted to click on on it — an motion which might set off the exploit on his personal account.
Whereas sure vulnerabilities are undoubtedly extra harmful than others, all vulnerabilities no matter their severity can be utilized by attackers to break your web site.
To mitigate danger and stop an exploit, it’s crucial that you just maintain all web site software program and third-party parts updated with the newest safety patches. We additionally encourage web site homeowners to benefit from file integrity monitoring services that may provide help to determine indicators of compromise.
If you happen to’re having issue staying on high of updates, you should use a web application firewall to nearly patch recognized vulnerabilities till you will get to them your self.