------------------------------------------------------------------------ Persistent Cross-Site Scripting vulnerability in User Access Manager WordPress Plugin ------------------------------------------------------------------------ Burak Kelebek, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A persistent Cross-Site Scripting vulnerability has been encountered in the User Access Manager WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160712-0025 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on the User Access Manager [2] WordPress Plugin version 1.2.6.7. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue is resolved in User Access Manager version 1.2.14 [3]. ------------------------------------------------------------------------ Introduction ------------------------------------------------------------------------ With the User Access Manager WordPress plugin it is possible to manage access to posts, pages and files. This plugin is useful if you need a member area or a private section at your blog or you want that other people can write at your blog but not everywhere. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ Persistent Cross-Site Scripting was found in admin panel 'manage' page of User Access Manager. Multiple parameters in POST uam_usergroup are affected due to insufficient output encoding. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website. ------------------------------------------------------------------------ Proof of concept ------------------------------------------------------------------------ ------------------------------------------------------------------------ References ------------------------------------------------------------------------ [1] https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_user_access_manager_wordpress_plugin.html [2] https://wordpress.org/plugins/user-access-manager/ [3] https://downloads.wordpress.org/plugin/user-access-manager.1.2.14.zip