Reflected Cross-Site Scripting vulnerability in W3 Total Cache plugin

Abstract

A Cross-Site Scripting vulnerability was found in the W3 Total Cache plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a URL provided by an attacker.

OVE ID

OVE-20160719-0004

Tested versions

This issue was successfully tested on W3 Total Cache version 0.9.4.1.

Fix

This issue is resolved in W3 Total Cache version 0.9.5.

Introduction

The W3 Total Cache plugin is a WordPress Performance Optimization (WPO) framework designed to improve user experience and page speed. A Cross-Site Scripting vulnerability was found in the W3 Total Cache plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a URL provided by an attacker.

Details finding

The issue exists in the file inc/options/support/form.php and is caused by the lack of output encoding on the request_id request parameter. The vulnerable code is listed below.

<input type="hidden" name="request_type" value="<?php echo $request_type; ?>" />
<input type="hidden" name="request_id" value="<?php echo $request_id; ?>" />
<input type="hidden" name="payment" value="<?php echo $payment; ?>" />

Proof of concept

Have an authenticated admin visit the URL:

http://<target>/wp-admin/admin.php?page=w3tc_support&request_type=bug_report&request_id="><script>alert('sumofpwn.nl');</script>

A pop-up box should appear, meaning the JavaScript contained in the request_id request parameter was executed by the browser.

Questions or feedback?