------------------------------------------------------------------------ Persistent Cross-Site Scripting in WassUp Real Time Analytics WordPress Plugin ------------------------------------------------------------------------ Burak Kelebek, October 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A stored Cross-Site Scripting (XSS) vulnerability has been found in the WassUp Real Time Analytics WordPress Plugin. By using this vulnerability an attacker can inject malicious JavaScript code into the application, which will execute within the browser of any user who views the Activity Log, in general WP admin. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160717-0002 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on WassUp Real Time Analytics version 1.9. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue has been fixed in version 1.9.1. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_wassup_real_time_analytics_wordpress_plugin.html A stored Cross-Site Scripting vulnerability was found in the Wassup WordPress plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. Particularly interesting about this issue is that an anonymous user can simply store his XSS payload in the Admin dashboard by just visiting the public site with a malformed link. The malicious script code can be sent by anyone visiting the website (unauthenticated). The malicious code is then executed in the admin panel under section 'Current Visitors' of the Wassup plugin page. The issue exists in the file wassup.php and is caused by the lack of output encoding on the request-uri parameter. The vulnerable code is listed below. '.stringShortener("$urlrequested",$chars).''; return $urllink; Proof of concept 1. Log in as admin and empty the log data of Wassup for a clean test -> http:///wp-admin/admin.php?page=wassup-options -> Manage Files and Data -> Empty table 2. Open Burp Suite and sent the following requests one after another: GET /test HTTP/1.1 Host: GET ///-->">'> HTTP/1.1 Host: 3. Open the Current Visitors Online page as an admin: http:///wp-admin/admin.php?page=wassup-online Note: Your request should be detected as a Spider/Bot by the Wassup plugin. One way to do this is by sending the requests above through Burp Suite. ------------------------------------------------------------------------ Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way.