• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Backdoors in Malicious Plugins

Reflected XSS in WordPress Plugin Admin Pages

September 8, 2020Antony Garand

FacebookTwitterSubscribe

The administrative dashboard in WordPress is a pretty safe place: Only elevated users can access it. Exploiting a plugin’s admin panel would serve very little purpose here — an administrator already has the required permissions to do all of the actions a vulnerability could cause.

While this is usually true, there are a number of techniques bad actors are using to trick an administrator into performing actions they would not expect, such as Cross Site Request Forgery (CSRF) or Clickjacking attacks. By using these techniques, an attacker can exploit a vulnerability on the behalf of an administrator — potentially making a minor issue a major security problem.

An attacker can exploit these vulnerabilities by having an administrator visit a link — or even view an image — by using a specifically crafted payload specific to the targeted website.

In this post, we’ll demonstrate many vulnerabilities we’ve found having a similar source, all of which lead to a reflected XSS in administrative pages.

Here is a list of plugins which were vulnerable to this attack:

  • Absolutely Glamorous Custom Admin < 6.5.5
  • All In One WP Security & Firewall < 4.4.4
    • This one only works when an administrator has an older browser. New browsers aren’t vulnerable to this technique.
  • Asset CleanUp: Page Speed Booster < 1.3.6.7
  • Cookiebot < 3.6.1
  • Elementor Addon Elements < 1.6.4
  • LearnPress < 3.2.7.3
  • Sticky Menu, Sticky Header (or anything!) on Scroll < 2.21

The Vulnerabilities

Sensitive actions on a website need to be protected using a wide variety of techniques: permission checks, nonces, secrets, and more. Places commonly overlooked in terms of security are pages which do not trigger actions, such as plugin settings or overview pages.

What we discovered is that all of these plugins had a variety of the same problem: They trust the browser URL to contain only valid information, while not using other mechanisms to sanitize or validate the data it contains. As the data was not properly sanitized, it always led to a reflected XSS vulnerability where malicious code could be executed on the behalf of the user.

Since there are multiple variants of the vulnerability on each of these plugins, let’s see the typical scenario: The vulnerable settings page.

Settings pages frequently have multiple tabs which split the information by category. To distinguish which of these tabs is currently being used, these plugins often use the tab request argument to conditionally render different sections of the page.

Here is a vulnerable sample:

Vulnerable Sample

In this scenario, by using $activeTab as a value, class, or by rendering it anywhere without sanitizing it, we get a reflected XSS using the tab argument.

Finally, to exploit this XSS, all we need to do is send an administrator a link to the settings page with our payload in the tab argument:

http://website.invalid.com/wp-admin/options-general.php?page=plugin-settings&tab="><script>alert(document.domain)</script>

Since the link is for the same website, an unsuspecting administrator might be tempted to click on it — an action which would trigger the exploit on his own account.

Conclusion

While certain vulnerabilities are definitely more dangerous than others, all vulnerabilities regardless of their severity can be used by attackers to damage your website.

To mitigate risk and prevent an exploit, it’s imperative that you keep all website software and third-party components up to date with the latest security patches. We also encourage website owners to take advantage of file integrity monitoring services that can help you identify indicators of compromise.

If you’re having difficulty staying on top of updates, you can use a web application firewall to virtually patch known vulnerabilities until you can get to them yourself.

FacebookTwitterSubscribe

Categories: Sucuri Labs, Website Security, WordPress SecurityTags: Black Hat Tactics, Hacked Websites, WordPress Plugins and Themes, XSS

About Antony Garand

Antony Garand is Sucuri's Threat Researcher who joined the company in 2019. Antony's main responsibilities include researching vulnerabilities and dissecting malware. His professional experience covers many years of security research and development. When Antony isn't breaking stuff, you might find him at the dog park or learning new skills. Connect with him on Twitter

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.