Authenticated XSS Vulnerability in WP Statistics

Introduction

A few days ago the awesome folks over at Sucuri found a SQL Injection vulnerability in the popular WP Statistics WordPress Plugin, currently installed on over 300,000 websites. We wanted to check our existing toolsets would have detected the vulnerability so that we could ensure that Dewhurst Security clients were not affected by similar issues. During this process we identified the Authenticated Reflected Cross-Site Scripting (XSS) vulnerability we discuss below. This vulnerability was responsibly disclosed to the vendor who patched the issue and released a new version in the same day.

Description

Version 12.0.8.1 and below of the WP Statistics WordPress Plugin was found to be vulnerable to Authenticated Reflected Cross-Site Scripting (XSS). The ‘ip’ GET parameter on the ‘wps_visitors_page’ page is output to a page without first being validated, sanitised or output encoded. This leads to Authenticated Reflected Cross-Site Scripting (XSS), which could allow attackers to compromise a WordPress application by tricking an authenticated administrator user into clicking on a specially crafted link.

Please note that other potential instances of Authenticated XSS were identified, however, were protected by Cross-Site Request Forgery (CSRF) nonces.

This issue was patched within hours by the vendor in version 12.0.9.

Affected Software

WP Statistics <= 12.0.8.1 - https://wordpress.org/plugins/wp-statistics/

Technical Description:

Source: On line 28 of the includes/log/last-visitor.php file, the $_GET['ip'] is placed within the $_get variable.

Sink: On line 74 of the includes/log/last-visitor.php file, the $_get variable is output in the PHP echo() function.

Proof of Concept (PoC):

Click on the following link in the Firefox browser: http://mywordpress.com/wp-admin/admin.php?page=wps_visitors_page&ip=%27%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E%3C%22

A fully weaponised XSS exploit was created that used the WordPress Theme Editor to insert a PHP backdoor into a WordPress site. The weaponised XSS payload has not been supplied with this advisory, however, it is trivial to create.

Remediation

Vendor: Pass the $_get variable through WordPress’ esc_attr() function. For example: $_get = esc_attr($_get);

Users: Update to version 12.0.9, which fixes the vulnerability.

Timeline:

  • 03/07/2017 09:00: Issue discovered by Ryan Dewhurst (Dewhurst Security).
  • 03/07/2017 12:50: Contacted vendor via contact form on website https://toolstack.com/contact
  • 03/07/2017 13:07: Contacted vendor via contact form on website https://wp-statistics.com/contact/
  • 03/07/2017 13:37: Reply from vendor.
  • 03/07/2017 13:41: Advisory with full details sent.
  • 03/07/2017 14:16: Vendor replies thanking for reporting.
  • 03/07/2017 18:00: Advisory shared with a trusted source.
  • 03/07/2017 18:54: Vendor advises that the vulnerability has been patched on Github.
  • 03/07/2017 20:28: Advisory released.

References: