The Fluid Responsive Slideshow WordPress plugin was found vulnerable to a CSRF bug that could ultimately lead to server-side compromise. Additionally there was a separate reflected XSS bug. The problems were fixed in version 2.2.7 released on May 17.
Details
The frst_save() AJAX handler didn’t check for any CSRF tokens (nonces). An attacker could perform authenticated AJAX requests on the victim’s behalf. The attack requires a logged-in WordPress user to view HTML content under the attacker’s control.
The problematic code:
add_action('wp_ajax_frs_save', 'frs_save' ); /* for logged in user */ function frs_save() { global $wpdb; // this is how you get access to the database unset($_POST['action']); $id = htmlspecialchars($_POST['post_id']);
The problem is what’s missing here – a check_admin_referer() or verify_nonce() call.
The function is intended to create or modify a slideshow object stored in the wp_posts table. However it doesn’t check the post type so it can be maliciously used to modify anything in that table, including normal posts and pages. This way the attacker can inject arbitrary JavaScript on the site, escalating this bug to stored XSS.
The victim can next be redirected to the modified page to evaluate the injected script with their privileges. In administrator context this would lead to server-side compromise under the default WordPress configuration.
Reflected XSS
There was also a normal XSS exploitable via a URL like:
https://your.site/post_with_a_slideshow/?skin=%3C/script%3E%3Cscript%3Ealert(/XSS/.source);%3C/script%3E
This XSS is stopped by the Chrome XSS Auditor.
Vendor response
Tonjoo Studio was contacted on April 3. The patch was released on May 18, 2016.
Credits
The vulnerability was discovered and researched by Jouko Pynnönen of Klikki Oy, Finland.