Free Counter [Persistent XSS]

WordPress plugin Free Counter suffers for an Persistent XSS vulnerability.

Description

Any authenticated or non-authenticated user can perform a stored XSS attack simply by exploiting wp_ajax_nopriv_check_stat action. Plugin uses a widget to display website’s visits, so any page that contains this widget will also load the malicious JS code.

Proof of Concept

1. Send a post request to

   http://www.free-counter.org/Api.php
   

   in order to reveal the counter id of the vulnerable site. The POST data must contain the following vars:

   action=create_new_counter&site_url=http%3A%2f%my.vulnerable.website.com
   

2. As a response we get a serialized indexed array. The value that we need to know is the counter_id.
3. Send a post request to

   http://my.vulnerable.website.com/wp-admin/admin-ajax.php
   

   with data:

   action=check_stat&id_counter=[counter_id from step 2]&value_=<script>alert(1)</script>
   

4. Visit a page of the infected website that displays plugin’s widget.

Note that the plugin uses the update_option function to store the $_POST['value_'] contents to DB so any code inserted there will be escaped. Even though a malicious user can omit the quotes in the src attr of the script tag. Most modern browsers will treat the tag as they were there.

---

WordPress Plugins Persistent XSS XSS

---

INFO

• 25 May 2015
• Pan Vag
• www.free-counter.org
• wordpress.org
• WordPress 4.2.2
• CVE-2015-4084