Securin Zero-Days

Visit the following page on a site with this plugin installed.

http://yourwordpresssite.com/wordpress/wpadmin/admin.php?page=bulletproofsecurity/admin/db-backup-security/db-backup-security.php and modify the value of DBTablePrefix variable with “></script><script>alert(document.cookie);</script> payload and send the request to the server. Now, the added XSS payload is echoed back from the server without validating the input. It affects the wp-config.php file, $table_prefix, and corrupts the database connectivity.

Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to the wp-config.php file.

Define (‘DISALLOW_UNFILTERED_HTML’, true);

Users: You must be an Administrator and logged into the site as an Administrator to enter/test the XSS HTML testing code in the Randomly Generated DB Table Prefix Form text box. Please do not try this test if you are using a version of BPS versions. Entering an invalid DB Table Prefix name will crash your website.

Issue 1: The Post Request DBTable Prefix variable in the URL http://yourwordpresssite.com/wordpress/wpadmin/admin.php?page=bulletproofsecurity/admin/db-backup-security/db-backup-security.php is vulnerable to Cross-Site Scripting (XSS).

Figure 01:Invalid HTTP script Request sent to the server through the vulnerable DBTablePrefix variable in the URL http://localhost/wordpress/wpadmin/admin.php?page=bulletproof-security/admin/db-backup-security/db-backup-security.php

Figure 02: Echoed back HTTP Response without validation.

Figure 03: Response Executed in the browser with the Cookie value.

Figure 04: $table_prefix is also damaged with the given XSS Payload.

Figure 05: Error message after the payload gets executed in the browser.