When doing a Penetration testing exercise against Web applications, you will always come across up-to-date WordPress instances. No public CVEs and no publicly known exploits for WordPress Core and WordPress Plugins. And yet, is the website really secure?
On 5th of March 2021, while working on a project, I was able to identify a vulnerability in the WP Offload SES Lite WordPress plugin before 1.4.5. Lately, I was assigned with CVE-2021-24494 by WPScan.
The project I was involved was using WordPress version 5.6 (last version in March 2021), and WP Offload SES Lite 1.4.4. The plugin was used to receive the emails from Contact Form.
The WP Offload SES Lite WordPress plugin <1.4.5 did not escape some of the fields in the Activity page of the Administrator dashboard, such as the email’s id, subject and recipient, which could lead to Stored Cross-Site Scripting issues when an attacker can control any of these fields, for example the subject of a contact form. The XSS will be executed in the context of a logged in Administrator viewing the Activity tab of the plugin.
Steps to reproduce
To validate the vulnerability, I firstly installed a fresh version of WordPress using Docker, and then I installed the vulnerable plugin. Other configuration were left untouched, so that I could clearly identify the vulnerability cause.
Secondly, I injected a Cross-Site-Scripting payload in the Form’s Subject, as the following screenshot shows:
Down below is the XSS payload used in the Subject field
"><script>alert('xss in subject')</script>
Now that the Contact Form was sent, I immediately log in as Administrator to see if the email was received. As I identified in the project I was involved in, the vulnerability indeed exists on this specific plugin and the following screenshot shows the confirmation:
Reporting the vulnerability
After validating the vulnerability, I immediately wrote a report in Markdown, convert it to PDF and then sent that report to the developers of the plugin, i.e. Delicious Brains Inc. They responded in timely manner, saying that they will fix the issue in their next update, which came on April 1st. In the meantime, I opened a request for a CVE at MITRE, by using their form. Indeed, they redirected me to WPScan, which finally confirmed the vulnerability and assigned the CVE.
Although it might be seeming useless to test a fully patched WordPress website, give it a shot and try different attack vectors. Yes, it sometimes requires you to think outside the box, but the results would be worthy. Don’t give up immediately if you feel stuck, try a different approach, it might give you other outputs.