Advisory:

Publicly exploitable XSS in WordPress plugin Navis Documentcloud

Vulnerability

Last revised:

This plugin contains the following code in js/window.php:

$SITEURL .= $_GET[ ‘wpbase’ ];

// snip

<script src=”https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js”></script>
<script src=”<?php echo $SITEURL; ?>wp-includes/js/tinymce/tiny_mce_popup.js”></script>

Which is a trivially exploitable XSS.

 

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 6.4 Medium
Vector Network
Complexity Low
Authentication None
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Visit the following page on a site with this plugin installed. Note that the plugin need not be active:

http://yourwordpresssite/wp-content/plugins/navis-documentcloud/js/window.php?wpbase=%22%3Ealert(%27xss%27)%3C/script%3E%3Cscript%20src=%22

NB: this proof of concept may not work in browsers with XSS protection features.

Advisory timeline

  • 2015-03-31 – Discovered
  • 2015-03-31 – Requested CVE
  • 2015-07-14 – Reported to support@documentcloud.org
  • 2015-07-14 – Vendor responded saying they’ll get in touch with the developer
  • 2015-08-24 – Vendor reported the issue fixed in version 0.1.1
  • 2015-08-26 – Published

Mitigation/further actions

This plugin is no longer maintained, so if at all possible, switch to using the DocumentCloud plugin https://wordpress.org/plugins/documentcloud/.

If this is not possible, upgrade to version 0.1.1 or later.