Securin Zero-Days
CVE-2017-14530 - Cross-Site Scripting & Cross-Site Request Forgery in Crony Cronjob Manager
Description
A cross-site request forgery vulnerability was identified on the WordPress plugin crony cronjob manager before 0.4.4. The specific flaw exists via the name parameter in an action=manage&do=create operation requests because of failure to validate a CSRF token before handling a POST request.
Proof of Concept (POC):
Visit the following page on a site with this plugin installed.
http://yourwordpresssite.com/wordpress/wpadmin/admin.php?page=crony&action=manage&do=create and modify the value of the name variable with<script>alert(‘Vulnerable2CSRF&XSS’) </script> payload and send the request to the server after generating CSRF request to the victim. Now, the added XSS payload is executed on the victim’s system, which can be compromised.
Note: XSS payload tried with the application once after implementing unfiltered Html Settings as defined to the wp-config.php file.
define( ‘DISALLOW_UNFILTERED_HTML’, true );
Issue 1: The POST Request of the variable name in the URL http://yourwordpresssite.com/wordpress/wpadmin/admin.php?page=crony&action=manage&do=create is vulnerable to XSS, and the plugin is also exploitable using CSRF vulnerability.
Figure 01: Cronjobs list before CSRF code & XSS payload gets executed.
Figure 02: Name variable input field, which is vulnerable to XSS.
Figure 03: Capturing the HTTP request in the intercept proxy.
Figure 04: Created a crafted HTML page with XSS input and CSRF Request.
Note: After creating the CSRFT HTML page, the user logs out, then again log in, and now, the HTML page is executed. In this case, we executed it from the local machine.
Figure 05: XSS Payload gets executed in the browser once the link sent by the attacker has been clicked.
Figure 06: XSS payload gets executed, and a new cronjob is created.
Impact
An attacker can exploit this by persuading a user of the interface to follow a malicious link, to allow the attacker to perform arbitrary actions with the privilege level of the affected user.
Remediations
Download the latest updated version from vendor advisory and update.
Timeline
