CVSS Summary
| Score | 5.8 Medium |
|---|---|
| Vector | Network |
| Complexity | Medium |
| Authentication | None |
| Confidentiality | Partial |
| Integrity | Partial |
| Availability | None |
Advisory:
CSRF/Stored XSS in MSMC – Redirect After Comment could allow unauthenticated individuals to do almost anything
Vulnerability
Last revised:
An unauthenticated individual can cause arbitrary JavaScript to execute within /wp-admin/ in the browser of a logged-in admin user. This could be achieved by sending a link to the admin user.
The attacker could use this to create a new user, create posts, add arbitrary PHP code (if the theme/plugin editor component is enabled) – almost anything a logged-in admin user can do.
Current state: Identified
Proof of concept
Step 1: Log in.
Step 2: Visit this URL to store the arbitrary HTML: http://localhost/wp-admin/options-general.php?page=msmc-comment-redirect&action=1&MSMC_redirect_location=http://localhost/?%22%3E%3Cscript%3Ealert(1)%3C/script%3E
Step 3: Visit this URL to execute the JavaScript: http://localhost/wp-admin/options-general.php?page=msmc-comment-redirect
Step 3 is unnecessary in browsers without XSS filtering (i.e. Firefox).
Advisory timeline
- 2017-03-17: Discovered
- 2017-03-20: Sent a public message on Twitter requesting the ability to DM with them
- 2017-03-20: Plugin author responded that the plugin was abandonware and that I could DM them
- 2017-03-21: Sent another public message as I was still unable to send them a DM
- 2017-04-04: Sent another public message
- 2017-04-10: The plugin was removed from wordpress.org
- 2017-04-24: Sent another public message to check that the plugin was permanently removed
- 2017-05-08: Published
- 2017-09-29: Requested CVE
Mitigation/further actions
The plugin author has indicated that this plugin is abandonware and has unpublished it from the WordPress directory. Disable and uninstall the plugin as this bug won’t be fixed.