Abstract
A Cross-Site Scripting vulnerability was found in the W3 Total Cache plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a URL provided by an attacker.
OVE ID
OVE-20160719-0004
Tested versions
This issue was successfully tested on W3 Total Cache version 0.9.4.1.
Fix
This issue is resolved in W3 Total Cache version 0.9.5.
Introduction
The W3 Total Cache plugin is a WordPress Performance Optimization (WPO) framework designed to improve user experience and page speed. A Cross-Site Scripting vulnerability was found in the W3 Total Cache plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a URL provided by an attacker.
Details finding
The issue exists in the file inc/options/support/form.php
and is caused by the lack of output encoding on the request_id
request parameter. The vulnerable code is listed below.
<input type="hidden" name="request_type" value="<?php echo $request_type; ?>" />
<input type="hidden" name="request_id" value="<?php echo $request_id; ?>" />
<input type="hidden" name="payment" value="<?php echo $payment; ?>" />
Proof of concept
Have an authenticated admin visit the URL:
http://<target>/wp-admin/admin.php?page=w3tc_support&request_type=bug_report&request_id="><script>alert('sumofpwn.nl');</script>
A pop-up box should appear, meaning the JavaScript contained in the request_id
request parameter was executed by the browser.