------------------------------------------------------------------------
Cross-Site Scripting in Magic Fields 1 WordPress Plugin
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A reflected Cross-Site Scripting vulnerability has been encountered in
the Magic Fields 1 WordPress plugin. This issue allows an attacker to
perform a wide variety of actions, such as stealing Administrators'
session tokens, or performing arbitrary actions on their behalf.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0019

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Magic Fields 1 [2] version 1.7.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is addressed in the 1.7.2 [3] version of Magic Fields 1. You
can obtain the most recent version on the following location:
https://github.com/hunk/Magic-Fields/releases [4]

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Magic Fields is a WordPress plugin that allows for easy creation of
custom fields in various post types in a WordPress post. A reflected
Cross-Site Scripting vulnerability was found in Magic Fields that allows
an attacker to perform a wide variety of actions, such as stealing
administrators' session tokens, or performing arbitrary actions on their
behalf. To exploit this issue an attacker needs to lure a user with
administrator privileges to a page controlled by the attacker or trick
him into clicking a malicious link.
                                                                        
                                                                        
                                                                        
                                                       
[h3]Details[/h3]                                                        
                                                                        
                                                                        
                                                       
Cross-Site Scripting (XSS) attacks are a type of injection, in which
malicious scripts are injected into otherwise benign and trusted
websites. XSS attacks occur when an attacker uses a web application to
send malicious code, generally in the form of a browser script, to a
different end user. Flaws that allow these attacks to succeed are quite
widespread and occur when a web application uses input from a user
without validating or encoding it. Reflected XSS occurs when user input
is immediately returned by a web application in an error message, search
result, or any other response that includes some or all of the input
provided by the user as part of the request.
 
The plugin has several instances where XSS is possible due to lacking
output encoding and user input sanitization:
1. The custom-write-panel-id field does not validate <script> tags and
does not perform output encoding. Proof of concept code that
demonstrates this issue is listed in the proof of concept section.
2. The value of the custom-group-id parameter in the
RCCWP_CreateCustomFieldPage.php file is insufficiently validated:
53: echo $_GET['custom-group-id'];3. The value of the custom-field-css
parameter in the RCCWP_CreateCustomFieldPage.php file is insufficiently
validated:
53: echo $_POST['custom-field-css'];

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
Proof of concept code that demonstrates the Cross-Site Scripting in the
custom-write-panel-id field is listed below: 
http://<targetsite>/wp-admin/admin.php?page=MagicFieldsMenu&custom-write-panel-id=1"
/><script>alert(1)</script>&mf_action=finish-create-custom-field

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_magic_fields_1_wordpress_plugin.html
[2] http://magicfields.org/
[3] https://github.com/hunk/Magic-Fields/releases/tag/1.7.2
[4] https://github.com/hunk/Magic-Fields/releases