Often during the penetration testing activities our team comes across potentially unsafe behaviours, coding errors and unspecified misconfiguration errors.
This time we had a full access to the WordPress instance, and we could investigate the security of the front-end and back-end of the application and its plugins.
The WordPress instance in question made use of ‘Easy Redirect Manager’ plugin, that allows for redirections within an application. This is very useful if the website has been updated with the new URLs and new services. This allows an end user to keep using an old reference and get an up to date content with no errors.
Being able to audit the running instance it allowed our team to discover and confirm the Cross-Site Scripting vulnerability, a very severe vulnerability (type) that is listed on the OWASP TOP 10 lists for a number of years.
The ‘Premium WP Suite Easy Redirect Manager’ plugin 28.07-17 for WordPress is vulnerable to XSS via a crafted GET request that is mishandled during log viewing at the templates/admin/redirect-log.php plugin URI.
A vulnerable page on a running installation will be accessible via www._wordpress_instance_url_/wp-admin/admin.php?page=wps-rm-log
- On the backend of the application: Install the plugin and configure redirection rule(s).
- Logout from the WordPress panel – the injection of XSS does not require any authentication.
Steps that are required to confirm the vulnerability:
- Issue a malicious GET request that has an XSS payload as part of the URL.
The plugin will handle redirections as expected. If the resource does not exist (404 code) or redirection was performed (302 code) it will appear in the ‘Redirect Log’ page on the back-end.
- Open new window/tab and login as a backend WordPress user (admin).
- Navigate to Easy Redirect Manager Menu and click the ‘Redirect Log’ Page.
- Vulnerable plugin will display past requests and execute XSS payloads that were issued earlier in the process.
Above the screenshot of the traffic generated by the browser. The malicious payloads forced browser into executing code, making requests and so on.
Please note that the injected parameters with XSS payloads do not have to be valid!
We immediately informed WordPress and plugin developers. Unfortunately, there are no plans to support this plugin and we recommend migrating to another solution as quickly as possible.
In addition, we recommend installing Wordfence™ or any other security plugin which blocks the XSS attempts so that it does not reach the vulnerable plugin.
Discovered by Alexander Drabek, Steve Armstrong
CVE number: CVE-2019-6267
Discovery and vendor informed on 13th January 2019
Vendor acknowledgement 14th January 2019
We are pleased to be able to contribute to the security community. Our commitment to security allows our clients to become aware of the emerging risks.
If you would like more information about our methods, please contact us here and we will arrange a call or demo of our technical services.