related posts word press plugin cross site scripting vulnerability - cve-2011-0760
TRANSCRIPT
-
8/7/2019 Related Posts Word Press Plugin Cross Site Scripting Vulnerability - CVE-2011-0760
1/5
Headquarters USA OfficeRua Marechal Hermes 678 CJ 32 8671 NW 56th Street, Suite B65CEP 80530-230, Curitiba, PR Doral, FL 33166T (41) 3095.3986 T (786) 382-0167www.conviso.com.br www.convisosec.com
Security Advisory
Related Posts Word Press Plugin Cross
Site Scripting Vulnerability
CVE: 2011-0760Published: March 17, 2011Discovered by: Gabriel Quadros, Conviso Labs
http://www.convisosec.com/http://www.convisosec.com/http://www.conviso.com.br/http://www.conviso.com.br/ -
8/7/2019 Related Posts Word Press Plugin Cross Site Scripting Vulnerability - CVE-2011-0760
2/5
Introduction
Copyright and Disclaimer
The information in this advisory is Copyright 2010 Conviso and provided so that the society can
understand the risk they may be facing by running affected software, hardware or other components used
on their systems. In case you wish to copy information from this advisory, you must either copy all of it or
refer to this document (including our URL). No guarantee is provided for the accuracy of this information,
or damage you may cause your systems in testing.
About Conviso
Conviso is a consulting company specialized on application security. Our values are based on the allocation
of the adequate competencies on the field, a clear and direct speech with the market, collaboration and
partnership with our customers and business partners and constant investments on methodology and
research improvement.
This advisory has been discovered as part of a general investigation into the security of software used in the
IT environments of our customers. For more information about our company and services provided, please
check our website at www.conviso.com.br.
The Security Research
Conviso maintains a virtual team dedicated to explore our customers environments in order to identify
technical vulnerabilities in software and hardware, developing real-world mitigation solutions and
processes to maintain more secure environments. Leaded by Wagner Elias, our CTO, this team is named
Conviso Labs and also contribute to important world-class organizations projects and organizations.
The vulnerability described in this security advisory was discovered by Gabriel Quadros on December 22nd
2010 during a internal security research.
Conviso Labs | Security Advisory
Related Posts Word Press Plugin Cross Site Scripting Vulnerability - CVE-2011-0760! 1
http://www.conviso.com.br/http://www.conviso.com.br/ -
8/7/2019 Related Posts Word Press Plugin Cross Site Scripting Vulnerability - CVE-2011-0760
3/5
Security Advisory
Issue Description
The WordPress Related Posts Plugin, available at http://WordPress.org/extend/plugins/wp-related-
posts/ shows the posts related to others posts. This advisory describes multiple Stored Cross Site Scripting
(XSS) vulnerabilities and one Cross Site Request Forgery (CSRF) vulnerability on the plugin. As a result, anattacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other
information maintained by the web browser on behalf of the WordPress administrator. Furthermore, the
attacker can perform actions with administrative privileges.
Affected Components
This problem was confirmed in the latest version of the plugin - WP Related Posts 1.0, other versions maybe
also affected.
CVSS Scoring System
Conviso calculated the scores using the online CVSS calculator found at http://www.patchadvisor.com/
PatchAdvisor/CVSSCalculator.aspx and described at http://www.first.org/cvss/cvss-guide.pdf.
Criteria Description Value
Base Metrics
Value: 6.7
Temporal Metrics
Value: 6.4
Environmental Metrics
Value: 5.1
Access Vector Remote
Access Complexity Low
Authentication Not Required
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact None
Impact BIAS Normal
Exploitability Functional
Remediation Level Unavailable
Report Confidence Confirmed
Collateral Damage Potential Low
Target Distribution Medium
Conviso Labs | Security Advisory
Related Posts Word Press Plugin Cross Site Scripting Vulnerability - CVE-2011-0760! 2
http://www.first.org/cvss/cvss-guide.pdfhttp://www.first.org/cvss/cvss-guide.pdfhttp://www.patchadvisor.com/PatchAdvisor/CVSSCalculator.aspxhttp://www.patchadvisor.com/PatchAdvisor/CVSSCalculator.aspxhttp://www.patchadvisor.com/PatchAdvisor/CVSSCalculator.aspxhttp://www.patchadvisor.com/PatchAdvisor/CVSSCalculator.aspxhttp://wordpress.org/extend/plugins/wp-related-posts/http://wordpress.org/extend/plugins/wp-related-posts/http://wordpress.org/extend/plugins/wp-related-posts/http://wordpress.org/extend/plugins/wp-related-posts/ -
8/7/2019 Related Posts Word Press Plugin Cross Site Scripting Vulnerability - CVE-2011-0760
4/5
Details
The plugin's configuration page is vulnerable to Stored Cross Site Scripting. The three fields
wp_relatedposts_ title, wp_relatedposts_num and wp_relatedposts_type are received through POST or GET
and included on the response page with inadequate sanitization. The vulnerable code is shown bellow:
---158:
159: Title:
160:
171: Tags
172: Category
173:
174: ---
Another vulnerable piece of code is the one which prints the related posts list. The title, eceived through the
parameter wp_relatedposts_title, is included with little sanitization into suchs lists. The vulnerable code is
shown bellow:
---
79: $relatedpost.= '
' . $options['title'] . '';(...)
120: $relatedpost.= '
' . $options['title'] . '';---
Conviso Labs | Security Advisory
Related Posts Word Press Plugin Cross Site Scripting Vulnerability - CVE-2011-0760! 3
-
8/7/2019 Related Posts Word Press Plugin Cross Site Scripting Vulnerability - CVE-2011-0760
5/5
These vulnerabilities allow an attacker to insert HTML/JavaScript commands to be interpreted in the
session of an authenticated administrator. Since the plugin's configuration page is not protected against
Cross Site Request Forgery, the exploitation permits the attacker to inject configuration values. Proof of
concept exploitation code is available to interested parties.
Issue MitigationThe developers have not provided a patch or workaround. The solution should add code to sanitize thevalues before including them using the htmlspecialchars() function or equivalent. Furthermore, a
mechanism to protect against the CSRF is needed to prevent an attacker from changing the plugin's
configuration.
Additional Information
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2011-0760 to this
issue.
Conviso Labs | Security Advisory
Related Posts Word Press Plugin Cross Site Scripting Vulnerability - CVE-2011-0760! 4