Securin Zero-Days

CVE-2021-33852-Stored Cross – Site Scripting in WordPress (Post Duplicator Plugin – 2.23)

Severity:Medium

Vendor

WordPress

Affected Product

Post-Duplicator Plugin 2.23

CVE

CVE-2021-33852

Securin ID

2021-CSW-12-1053

Status

Fixed

Date

December 2, 2021

Description

A cross-site scripting (XSS) attack can cause arbitrary code (javascript) to run in a userā€™s browser while the browser is connected to a trusted website. The application targets your applicationā€™s users and not the application itself, but it uses your application as the vehicle for the attack. The XSS payload executes whenever the user opens the Settings Page of the Post Duplicator Plugin or the application root page after duplicating any of the existing posts.

Proof of Concept (POC):

The following vulnerability was discovered in Post-Duplicator Plugin 2.23.

Issue: Stored Cross-Site Scripting

Note: Here, localhost has been used for testing the application locally.

  1. Login to the WordPress application.

  2. Install Post Duplicator Plugin.

  3. Go to the ā€˜Toolsā€™ menu of WordPress and click on the ā€˜Post Duplicatorā€™ button.

Figure 01: Post Duplicator Settings Page

  1. Enter the payload – Duplicate Postā€><script>alert(document.cookie)</script> in the ā€˜Duplicate Titleā€™ field (mtphr_post_duplicator_settings[title] parameter).

Figure 02: EnteringĀ  XSS payload in theĀ  ā€˜Duplicate Titleā€™ field

  1. Enter the payload – Hello World!ā€><script>alert(document.cookie)</script> in the ā€˜Duplicate Slugā€™ field (mtphr_post_duplicator_settings[slug] parameter).

Figure 03: EnteringĀ  XSS payload in theĀ  ā€˜Duplicate Slugā€™ field

  1. Click on the ā€˜Save Changesā€™ button to save changes.

  2. Go to the Post Duplicator Settings page at tools.php?page=mtphr_post_duplicator_settings_menu

Figure 04: Injected XSS payload is executed displaying an alert box with the contents of the userā€™s cookies.

  1. Another use case of this vulnerability is when the post is duplicated after injecting the XSS payload in the settings page.

Figure 05: Duplicate the ā€œHello world!ā€ post

  1. Once the post is duplicated, the title of the duplicated post will append the name we specified in the mtphr_post_duplicator_settings[title] parameter.

Figure 06: Duplicated post with XSS Payload

  1. Now navigate to the application root to view the posts.

Figure 07: Injected XSS payload is executed displaying an alert box with the contents of the userā€™s cookies.

Figure 08: The default cross-site scripting mitigation setting in wp.config file to prevent cross-site scripting attacksĀ 

Impact

An attacker can perform the following:

  • Inject malicious code into the vulnerable variable and exploit the application through the cross-site scripting vulnerability.

  • Modify the code and get the session information of other users

  • Compromise the user machine.

Remediations

  • Perform context-sensitive encoding of entrusted input before it is echoed back to a browser using an encoding library throughout the application.

  • Implement input validation for special characters on all the variables reflected in the browser and stored in the database.

  • Explicitly set the character set encoding for each page generated by the webserver.

  • Encode dynamic output elements and filter specific characters in dynamic elements.

Timeline

Dec 28, 2021: Discovered in `Post Duplicator Plugin – 2.23` Product

Dec 29, 2021: Reported to WordPress team

Dec 31, 2021: Vendor fixed the issue

Dec 31, 2021: CSW assigned the CVE Identifier (CVE-2021-33852)

 

Let Securin level up your security posture!