Cross Site Scripting (XSS) vulnerability

  • Resolved kgagne

    (@kgagne)


    1 year, 4 months ago

    I received notification of a security flaw in WordPress Smart App Banner plugin <= 1.1.3:

    This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

    Patchstack

    Will there be a patch to address this issue?

    The page I need help with: [log in to see the link]

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author stephend

    (@stephend)

    I’ve been looking into this, but I don’t see any details of the vulnerability.

    Thread Starter kgagne

    (@kgagne)

    Contradicting the vulnerability report I previously linked to, which says the issue exists in v1.1.3 and earlier, this report suggests the problem affects only v1.1.2 and earlier and was fixed in v1.1.3.

    The Smart App Banner plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the wsl_smart_app_banner_options function. This makes it possible for unauthenticated attackers to modify the plugin’s settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

    ?????♂?

    chrisaudio

    (@chrisaudio)

    Hi StephenD,

    I’ve got this issue message by Really Simple SSL:

    https://really-simple-ssl.com/vulnerability/34adee56-a0be-4e48-a8ca-791fcf8fe10f/

    Could you pleasse have a look to this?

    Thx and all the best,
    Chris

    Plugin Author stephend

    (@stephend)

    I’m unclear if that’s the same vulnerability, but it does actually have enough information to be able to understand it!

    I am looking into it. It’s real, but you need admin privileges to do anything with it. Needless to say, if you have admin you can already do what you like.

    chiemseerocks

    (@chiemseerocks)

    Hi StephanD,

    I get the same error message from my security plugins and from Umbrella WP. Also see this link: https://patchstack.com/database/vulnerability/smart-app-banner/wordpress-smart-app-banner-plugin-1-1-3-cross-site-scripting-xss

    Could you please have a look to that issue?

    Thanks

    Benny

    Plugin Author stephend

    (@stephend)

    As noted above, the PatchStack link does not have enough information to be able to resolve. Assuming that it’s the same issue noted by chrisaudio, I am working on it.

    However, this is only exploitable if you have admin access. And if you already have admin access, you can already display whatever code you want.

    Plugin Author stephend

    (@stephend)

    Hopefully this is resolved in 1.1.4.

    For those interested, this was more difficult to fix than it might first look. The validation for the affiliate data and app argument is… complicated. There do not seem to be documented rules for what the app argument is, making it difficult to determine what is valid and what is not. I just accept it as text. The app argument is a URL, but you can’t use WordPress built-in validation routines as it is likely a custom URL scheme, and you can only specify an allow-list of valid schemes. In the end, it allows anything that “looks like” a URL but deny-lists Javascript.

    This complexity leads to the “hopefully” in the opening paragraph. It is possible that the validation is too strict, and it does not allow some valid options. It’s also possible that the validation is too lax and allows options that it should not.

    Let me know if you find either of these cases.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Cross Site Scripting (XSS) vulnerability’ is closed to new replies.