• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
cPanel Password Reset Vulnerability

Slimstat: Stored XSS from Visitors

May 21, 2019Antony Garand

Exploitation Level: Easy / Remote

DREAD Score: 8.4

Vulnerability: Stored XSS on Admin dashboard

Patched Version: 4.8.1

327
SHARES
FacebookTwitterSubscribe

The WordPress Slimstat plugin, which currently has over 100k installs, allows your website to gather analytics data for your WordPress website. It will track certain information such as the browser and operating system details, plus page visits to optimize the website analytics.

Versions below 4.8.1 are affected by an unauthenticated stored XSS on the administrator dashboard.

Timeline

  • 2019/05/16: Initial disclosure
  • 2019/05/20: Patch released (4.8.1)
  • 2019/05/21: Blog post released

Details

This vulnerability allows a visitor to inject arbitrary JavasScript code on the plugin access log functionality, which is visible both on the plugin’s access log page and on the admin dashboard index—‚ the default page shown once you log in.

Admin dashboard index
Admin dashboard index

Using the access log, it is possible to see details of the users accessing the website.

These details include ip address, operating system, browser, and the installed plugins of the browser.

These are found by an analytics client-side script which fingerprints the client information and then performs a request to the plugin while giving out its own properties.

A malicious user could forge an analytics request by pretending his browser has a specially crafted plugin to inject arbitrary code on the plugin access log. This will be executed once an admin logs in.

Technical Details

The expected value of plugins are the default-supported browser plugins, such as pdfviewer, flash or java.

The plugin property is sanitized using the strip_tags php method, removing any tags from the original plugin value.

strip_tags

When viewing the details of an access log entry, among the details are an image of the installed plugins, such as the pdf viewer on this image.

Admin dashboard index

Here is how the image is generated for the plugins, where $a_plugin is the plugin:

$a_plugin

Since the plugin has only been sanitized with strip_tags, and that is injected in an attribute, we can escape the attribute by using a single quote, and add an event handler.

By having plugin’onerror=’alert(document.domain) as a plugin, the resulting HTML would be the following:

plugin'onerror='alert(document.domain)

This will trigger the onerror event since the image is invalid, therefore giving a stored XSS.

Update as Soon as Possible

If you’re using a vulnerable version of this plugin, update as soon as possible. In the event where you cannot do this, we strongly recommend leveraging the Sucuri Firewall or equivalent technology to have the vulnerability patched virtually.

327
SHARES
FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, Website Security, WordPress SecurityTags: WordPress Plugins and Themes, XSS

About Antony Garand

Antony Garand is Sucuri's Threat Researcher who joined the company in 2019. Antony's main responsibilities include researching vulnerabilities and dissecting malware. His professional experience covers many years of security research and development. When Antony isn't breaking stuff, you might find him at the dog park or learning new skills. Connect with him on Twitter

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

2019 Threat Report

WordPress Security Course

How to Clean a Hacked Website Guide

WordPress Security Guide

How to know you can trust a plugin

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.