------------------------------------------------------------------------
Cross-Site Scripting in Store Locator Plus for WordPress
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in Store Locator Plus for
WordPress. This issue allows an attacker to perform a wide variety of
actions, such as stealing Administrators' session tokens, or performing
arbitrary actions on their behalf. In order to exploit this issue, the
attacker has to lure/force a logged on WordPress Administrator into
opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0025

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Store Locator Plus for WordPress
version 4.5.09.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been addressed in Store Locator Plus for WordPress
version 4.5.12.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_store_locator_plus_for_wordpress.html

This issue exists in the file include/class.admin.locations.add.php and is caused due to the lack of output encoding on the start request parameter.

$this->section_params['opening_html'] =
   "<form id='manualAddForm' name='manualAddForm' method='post'>" .
   ( $this->adding ? '<input type="hidden" id="act" name="act" value="add" />' : '<input type="hidden" id="act" name="act" value="edit" />' ) .
   "<input type='hidden' name='id' " .
   "id='id' value='{$this->slplus->currentLocation->id}' />" .
   "<input type='hidden' name='locationID' " .
   "id='locationID' value='{$this->slplus->currentLocation->id}' />" .
   "<input type='hidden' name='linked_postid-{$this->slplus->currentLocation->id}' " .
   "id='linked_postid-{$this->slplus->currentLocation->id}' value='" .
   $this->slplus->currentLocation->linked_postid .
   "' />" .
   ( isset( $_REQUEST['start'] ) ? "<input type='hidden' name='start' id='start' value='{$_REQUEST['start']}' />" : '' ) .
   "<a name='a{$this->slplus->currentLocation->id}'></a>";


   
In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

Proof of concept

http://<target>/wp-admin/admin.php?page=slp_manage_locations&start=%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.