WP Statistics Authenticated XSS Vulnerability

A few days ago the awesome folks over at Sucuri found a SQL Injection vulnerability in the popular WP Statistics WordPress Plugin, currently installed on over 300,000 websites. We wanted to check our existing toolsets would have detected the vulnerability so that we could ensure that Dewhurst Security clients were not affected by similar issues. During this process we identified the Authenticated Reflected Cross-Site Scripting (XSS) vulnerability we discuss below. This vulnerability was responsibly disclosed to the vendor who patched the issue and released a new version in the same day. # Description # Version 12.0.8.1 and below of the WP Statistics WordPress Plugin was found to be vulnerable to Authenticated Reflected Cross-Site Scripting (XSS). The ‘ip’ GET parameter on the ‘wps_visitors_page’ page is output to a page without first being validated, sanitised or output encoded. This leads to Authenticated Reflected Cross-Site Scripting (XSS), which could allow attackers to compromise a WordPress application by tricking an authenticated administrator user into clicking on a specially crafted link. Please note that other potential instances of Authenticated XSS were identified, however, were protected by Cross-Site Request Forgery (CSRF) nonces. This issue was patched within hours by the vendor in version 12.0.9. # Affected Software # WP Statistics <= 12.0.8.1 - https://wordpress.org/plugins/wp-statistics/ # Technical Description: # Source: On line 28 of the `includes/log/last-visitor.php` file, the `$_GET['ip']` is placed within the `$_get` variable. Sink: On line 74 of the `includes/log/last-visitor.php` file, the `$_get` variable is output in the PHP `echo()` function. # Proof of Concept (PoC): # Click on the following link in the Firefox browser: `http://mywordpress.com/wp-admin/admin.php?page=wps_visitors_page&ip=%27%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E%3C%22` A fully weaponised XSS exploit was created that used the WordPress Theme Editor to insert a PHP backdoor into a WordPress site. The weaponised XSS payload has not been supplied with this advisory, however, it is trivial to create. # Remediation # Vendor: Pass the $_get variable through WordPress’ esc_attr() function. For example: `$_get = esc_attr($_get);` Users: Update to version 12.0.9, which fixes the vulnerability.