Subscribe2 [Persistent XSS]
Description
Plugin Subscriber2 offers the functionality to perform AJAX requests regarding new subscriptions. The IP field in AJAX form doesn’t properly sanitized before stored in DB or printed in admin panel, allowing a malicious user to perform an XSS attack by exploiting this.
No special capabilities are required to perform this attack so even a guest can exploit this. The only requirement is that the appropriate option is enabled in plugin settings (Subscriber2 → Settings → Appearance → Enable AJAX style subscription form).
Note that when the subscribers status is not confirmed, IP information is properly sanitized thus mitigating the attack. As soon as the administrator change the status to confirmed then the malicious code is executed.
PoC
First enable the appropriate option in plugin settings (Subscriber2 → Settings → Appearance → Enable AJAX style subscription form) and then run:
curl 'http://wp1.dev/wp-admin/admin-ajax.php?action=subscribe2_form' \
-d 'subscribe=1&ip=" onclick=alert(1);//&[email protected]'
Go to Subscriber2 → Subscribers and confirm users subscription. Click on the email, an alert should arise.
Solution
No fix available
Workaround
Disable the option Enable AJAX style subscription form
- 5 April 2016
- Pan Vag
- readygraph.com
- Subscribe2
- WordPress 4.4.2