related posts word press plugin cross site scripting vulnerability - cve-2011-0760

8/7/2019 Related Posts Word Press Plugin Cross Site Scripting Vulnerability - CVE-2011-0760

1/5

Headquarters USA OfficeRua Marechal Hermes 678 CJ 32 8671 NW 56th Street, Suite B65CEP 80530-230, Curitiba, PR Doral, FL 33166T (41) 3095.3986 T (786) 382-0167www.conviso.com.br www.convisosec.com

Security Advisory

Related Posts Word Press Plugin Cross

Site Scripting Vulnerability

CVE: 2011-0760Published: March 17, 2011Discovered by: Gabriel Quadros, Conviso Labs
http://www.convisosec.com/http://www.convisosec.com/http://www.conviso.com.br/http://www.conviso.com.br/


2/5

Introduction

Copyright and Disclaimer

The information in this advisory is Copyright 2010 Conviso and provided so that the society can

understand the risk they may be facing by running affected software, hardware or other components used

on their systems. In case you wish to copy information from this advisory, you must either copy all of it or

refer to this document (including our URL). No guarantee is provided for the accuracy of this information,

or damage you may cause your systems in testing.

About Conviso

Conviso is a consulting company specialized on application security. Our values are based on the allocation

of the adequate competencies on the field, a clear and direct speech with the market, collaboration and

partnership with our customers and business partners and constant investments on methodology and

research improvement.

This advisory has been discovered as part of a general investigation into the security of software used in the

IT environments of our customers. For more information about our company and services provided, please

check our website at www.conviso.com.br.

The Security Research

Conviso maintains a virtual team dedicated to explore our customers environments in order to identify

technical vulnerabilities in software and hardware, developing real-world mitigation solutions and

processes to maintain more secure environments. Leaded by Wagner Elias, our CTO, this team is named

Conviso Labs and also contribute to important world-class organizations projects and organizations.

The vulnerability described in this security advisory was discovered by Gabriel Quadros on December 22nd

2010 during a internal security research.

Conviso Labs | Security Advisory

Related Posts Word Press Plugin Cross Site Scripting Vulnerability - CVE-2011-0760! 1
http://www.conviso.com.br/http://www.conviso.com.br/


3/5

Security Advisory

Issue Description

The WordPress Related Posts Plugin, available at http://WordPress.org/extend/plugins/wp-related-

posts/ shows the posts related to others posts. This advisory describes multiple Stored Cross Site Scripting

(XSS) vulnerabilities and one Cross Site Request Forgery (CSRF) vulnerability on the plugin. As a result, anattacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other

information maintained by the web browser on behalf of the WordPress administrator. Furthermore, the

attacker can perform actions with administrative privileges.

Affected Components

This problem was confirmed in the latest version of the plugin - WP Related Posts 1.0, other versions maybe

also affected.

CVSS Scoring System

Conviso calculated the scores using the online CVSS calculator found at http://www.patchadvisor.com/

PatchAdvisor/CVSSCalculator.aspx and described at http://www.first.org/cvss/cvss-guide.pdf.

Criteria Description Value

Base Metrics

Value: 6.7

Temporal Metrics

Value: 6.4

Environmental Metrics

Value: 5.1

Access Vector Remote

Access Complexity Low

Authentication Not Required

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact None

Impact BIAS Normal

Exploitability Functional

Remediation Level Unavailable

Report Confidence Confirmed

Collateral Damage Potential Low

Target Distribution Medium


http://www.first.org/cvss/cvss-guide.pdfhttp://www.first.org/cvss/cvss-guide.pdfhttp://www.patchadvisor.com/PatchAdvisor/CVSSCalculator.aspxhttp://www.patchadvisor.com/PatchAdvisor/CVSSCalculator.aspxhttp://www.patchadvisor.com/PatchAdvisor/CVSSCalculator.aspxhttp://www.patchadvisor.com/PatchAdvisor/CVSSCalculator.aspxhttp://wordpress.org/extend/plugins/wp-related-posts/http://wordpress.org/extend/plugins/wp-related-posts/http://wordpress.org/extend/plugins/wp-related-posts/http://wordpress.org/extend/plugins/wp-related-posts/


4/5

Details

The plugin's configuration page is vulnerable to Stored Cross Site Scripting. The three fields

wp_relatedposts_ title, wp_relatedposts_num and wp_relatedposts_type are received through POST or GET

and included on the response page with inadequate sanitization. The vulnerable code is shown bellow:

---158:

159: Title:

160:

171: Tags

172: Category

173:

174: ---

Another vulnerable piece of code is the one which prints the related posts list. The title, eceived through the

parameter wp_relatedposts_title, is included with little sanitization into suchs lists. The vulnerable code is

shown bellow:

---

79: $relatedpost.= '

' . $options['title'] . '';

(...)

120: $relatedpost.= '

' . $options['title'] . '';

---




5/5

These vulnerabilities allow an attacker to insert HTML/JavaScript commands to be interpreted in the

session of an authenticated administrator. Since the plugin's configuration page is not protected against

Cross Site Request Forgery, the exploitation permits the attacker to inject configuration values. Proof of

concept exploitation code is available to interested parties.

Issue MitigationThe developers have not provided a patch or workaround. The solution should add code to sanitize thevalues before including them using the htmlspecialchars() function or equivalent. Furthermore, a

mechanism to protect against the CSRF is needed to prevent an attacker from changing the plugin's

configuration.

Additional Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2011-0760 to this

issue.



related posts word press plugin cross site scripting vulnerability - cve-2011-0760

Documents