------------------------------------------------------------------------ Cross-Site Scripting in Uji Countdown WordPress Plugin ------------------------------------------------------------------------ Yorick Koster, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A Cross-Site Scripting vulnerability was found in the Uji Countdown WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160724-0029 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on Uji Countdown [2] WordPress Plugin version 2.0.6. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue is resolved in Uji Countdown version 2.0.7 [3]. ------------------------------------------------------------------------ Introduction ------------------------------------------------------------------------ The Uji Countdown [2] WordPress Plugin allows users to display a countdown on their post or page. A Cross-Site Scripting vulnerability was found in the Uji Countdown WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ The issue exists in the file /classes/class-uji-countdown-admin.php and is caused by the lack of output encoding in the ujic_tabs_values() function. private function ujic_tabs_values() { global $wpdb; $ujictab = ''; $table_name = $wpdb->prefix . "uji_counter"; $ujic_datas = $wpdb->get_results( "SELECT * FROM $table_name ORDER BY `time` DESC" ); if ( !empty( $ujic_datas ) ) { foreach ( $ujic_datas as $ujic ) { $ujic_style = !empty( $ujic->style ) ? $ujic->style : 'classic'; $ujic_ico = '' . $ujic_style . ''; $ujictab .=' ' . $ujic->time . ' ' . $ujic->title . ' ' . $ujic_ico . ' Edit | Delete '; } } return $ujictab; } In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website. ------------------------------------------------------------------------ Proof of concept ------------------------------------------------------------------------
------------------------------------------------------------------------ References ------------------------------------------------------------------------ [1] https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_uji_countdown_wordpress_plugin.html [2] https://wordpress.org/plugins/uji-countdown/ [3] https://downloads.wordpress.org/plugin/uji-countdown.zip