Watu 2.4.9 XSS

Homepage:

https://wordpress.org/plugins/watu/

CVE-ID

CVE-2014-8804

CVSS Score

4.3

CVSS Vector

(AV:N/AC:M/Au:N/C:P/I:N/A:N)

Description:

Datas from “Open End” questions are not escaped properly (the_content() function is used).

File: watu\controllers\show_exam.php

if($ques->answer_type=='textarea' and !empty($_POST["answer-" . $ques->ID][0])) {
	if(!sizeof($all_answers)) $textarea_class = 'correct-answer';
	$result .= wpautop("<li class='user-answer $textarea_class'><span class='answer'><!--WATUEMAIL".$class."WATUEMAIL-->".stripslashes($_POST["answer-" . $ques->ID][0])."</span></li>");
}
$results_output = '<hr />' . apply_filters(WATU_CONTENT_FILTER,$result);
$snapshot = $final_output . $results_output;
$wpdb->query($wpdb->prepare("UPDATE ".WATU_TAKINGS." SET snapshot=%s WHERE ID=%d", $snapshot, $taking_id));

XSS is visible for admin.

File: watu\controllers\takings.php

function watu_taking_details() {
	global $wpdb, $user_ID;
	
	// select taking
	$taking=$wpdb->get_row($wpdb->prepare("SELECT * FROM ".WATU_TAKINGS."
			WHERE id=%d", $_REQUEST['id']));
			
	// select user
	$student=$wpdb->get_row($wpdb->prepare("SELECT * FROM {$wpdb->users} 
		WHERE id=%d", $taking->user_id));

	// make sure I'm admin or that's me
	if(!current_user_can('manage_options') and $student->ID!=$user_ID) {
		wp_die( __('You do not have sufficient permissions to access this page', 'watu') );
	}
			
	// select exam
	$exam=$wpdb->get_row($wpdb->prepare("SELECT * FROM ".WATU_EXAMS." WHERE id=%d", $taking->exam_id));
				
	require(WATU_PATH. '/views/taking_details.html.php');   
	exit;			
}

File: watu\views\taking_details.html.php

<p><?php echo stripslashes($taking->snapshot); ?></p>

Proof of Concept:

If exam has at least one “Open End” question it is possible to add XSS there, for example:

<script>alert("XSS");</script>

It will be visible for user after sending form and also for admin:

http://wordpress-instalation/wp-admin/admin.php?page=watu_takings&exam_id=%exam_id%

It must press “view” button, which loads:

http://wordpress-instalation/wp-admin/admin-ajax.php?action=watu_taking_details&id=%result_id%

Timeline: