Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 16 Oct 2019 14:08:54 +0200
From: SBA Research Advisory <advisory@...-research.org>
To: <oss-security@...ts.openwall.com>
Subject: [SBA-ADV-20190913-01] CVE-2019-16522: WordPress Plugin - EU Cookie
 Law (GDPR) <= 3.0.6 and possibly upwards - Stored XSS

# WordPress Plugin - EU Cookie Law (GDPR) - Stored XSS #

Link: https://github.com/sbaresearch/advisories/tree/public/2019/SBA-ADV-20190913-01_WordPress_Plugin_EU_Cookie_Law

## Vulnerability Overview ##

The eu-cookie-law plugin through 3.0.6 for WordPress (aka EU Cookie Law (GDPR))
is susceptible to Stored XSS due to improper encoding of several configuration
options in the admin area and the displayed cookie consent message.
This affects Font Color, Background Color, and the Disable Cookie text.
An attacker with high privileges can attack other users.

* **Identifier**            : SBA-ADV-20190913-01
* **Type of Vulnerability** : Cross-site Scripting
* **Software/Product Name** : [EU Cookie Law (GDPR)](https://wordpress.org/plugins/eu-cookie-law/)
* **Vendor**                : [Alex Moss, Marco Milesi](https://wordpress.org/plugins/eu-cookie-law/)
* **Affected Versions**     : <= 3.0.6 and possibly upwards
* **Fixed in Version**      : -
* **CVE ID**                : CVE-2019-16522
* **CVSSv3 Vector**         : AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
* **CVSSv3 Base Score**     : 3.5 (Low)

## Vendor Description ##

> EU Cookie Law is a light, elegant and powerful solution to comply european cookie law and GDPR, with popup and options to lock scripts before acceptance.
>
> Various customizations included to perfectly fit your website and keep cookies under control (before and after the consent).
>
> Simply install the plugin and follow the instructions on the Settings page.

Active Installations: 100,000+

Source: <https://wordpress.org/plugins/eu-cookie-law/>

## Impact ##

By exploiting the documented vulnerability, an authenticated attacker with high
privileges (admin) can execute JavaScript code in a victim's browser.
This can be misused, e.g for phishing attacks by displaying a fake
login form and sending the victim's credentials to the attacker.
Furthermore malicious actions can be performed in the context of an authenticated
user. The impact depends on the level of access of the attacked user.

## Vulnerability Description ##

In the configuration area `/wp-admin/options-general.php?page=peadig_eucookie`
an admin can set several options for the plugin. Most of them are correctly
escaped before inserted in the HTML page. However three values of settings can
be exploited to insert arbitrary JavaScript and HTML.
Those are:

* Font Color
* Background Color
* "Disable Cookie" Text

The value of "Fontcolor" will be inserted on every page where the cookie consent message
is shown. The other two are by default only exploitable in the admin area.

## Proof of Concept ##

This example shows how an attacker can exploit this vulnerability through the
value of "Font Color": By setting the value `#FFFFFF"><script>alert(1)</script>`,
an attacker can break out of the HTML attribute and insert a `script` tag containing
JavaScript. In this example a simple alert-popup-box will be shown.

So when the attacker sends the following HTTP-Request:

```http
POST /wp-admin/options.php HTTP/1.1
[...]

[...]peadig_eucookie%5Bfontcolor%5D=%23FFFFFF%22%3E%3Cscript%3Ealert%281%29%3C/script%3E[...]
```

In the admin area, the resulting HTML page looks like the following (shortened for readability):

```html
[...]
<input id="fontcolor" type="text" name="peadig_eucookie[fontcolor]" value="#FFFFFF">
    <script>alert(1)</script>
    " class="color-field" data-default-color="#ffffff"/>
[...]
```

On the page with the cookie message the payload will be inserted multiple times.
The resulting HTML looks like the following (shortened for readability):

```html
[...]
<!-- Eu cookie Law 3.0.6 -->
<div class="pea_cook_wrapper pea_cook_bottomcenter" style="color:#FFFFFF">
    <script>alert(1)</script>
    ;background:rgb(0,0,0);background: rgba(0,0,0,0.85);">
[...]
```

## Recommended Countermeasures ##

We recommend to escape the values using the `esc_attr`-[function][1] provided by WordPress.

[1]: https://developer.wordpress.org/themes/theme-security/data-sanitization-escaping/#escaping-securing-output

## Timeline ##

* `2019-09-04` Identified the vulnerability
* `2019-09-06` Contacted the authors
* `2019-09-06` Response by authors about disclosure contact
* `2019-09-09` Disclosed vulnerability to the authors
* `2019-09-20` CVE assigned
* `2019-09-20` Asked authors again for fix
* `2019-10-16` Public disclosure, because authors did not respond

## References ##

* <https://wordpress.org/plugins/eu-cookie-law/>
* <https://wordpress.org/plugins/eu-cookie-law/#developers>

## Credits ##

* Tobias Fink ([SBA Research](https://www.sba-research.org/))

Download attachment "0xFBB8862F58F775B2.asc" of type "application/pgp-keys" (3542 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.