Fluid Responsive Slideshow CSRF vulnerability

The Fluid Responsive Slideshow WordPress plugin was found vulnerable to a CSRF bug that could ultimately lead to server-side compromise. Additionally there was a separate reflected XSS bug. The problems were fixed in version 2.2.7 released on May 17.

Details

The frst_save() AJAX handler didn’t check for any CSRF tokens (nonces). An attacker could perform authenticated AJAX requests on the victim’s behalf. The attack requires a logged-in WordPress user to view HTML content under the attacker’s control.

The problematic code:

add_action('wp_ajax_frs_save', 'frs_save' ); /* for logged in user */
function frs_save() {
    global $wpdb; // this is how you get access to the database
    unset($_POST['action']);
    $id = htmlspecialchars($_POST['post_id']);

The problem is what’s missing here – a check_admin_referer() or verify_nonce() call.

The function is intended to create or modify a slideshow object stored in the wp_posts table. However it doesn’t check the post type so it can be maliciously used to modify anything in that table, including normal posts and pages. This way the attacker can inject arbitrary JavaScript on the site, escalating this bug to stored XSS.

The victim can next be redirected to the modified page to evaluate the injected script with their privileges. In administrator context this would lead to server-side compromise under the default WordPress configuration.

Reflected XSS

There was also a normal XSS exploitable via a URL like:

https://your.site/post_with_a_slideshow/?skin=%3C/script%3E%3Cscript%3Ealert(/XSS/.source);%3C/script%3E

This XSS is stopped by the Chrome XSS Auditor.

Vendor response

Tonjoo Studio was contacted on April 3. The patch was released on May 18, 2016.

Credits

The vulnerability was discovered and researched by Jouko Pynnönen of Klikki Oy, Finland.