Cross-Site-Scripting Vulnerability in AIT Pro BulletProof Security
In the admin/db-backup-security/db-backup-security.php page in the BulletProof Security plugin before .52.5 for WordPress, XSS is possible for remote authenticated administrators via the DBTablePrefix parameter.
CVE IDCVE-2015-9230
CVSS v3.14.8 Medium
VendorAIT Pro BulletProof
CWECWE-79
DisclosedSep 4, 2015
StatusFixed
01/Description
What this actually is.
Technical background, root cause, and affected surface.
A Cross-Site Scripting vulnerability was identified on WordPress plugin BulletProof Security before .52.5 in the admin/db-backup-security/db-backup-security.php page.
Vendor
AIT Pro BulletProof
Affected Product
AIT Pro BulletProof Security
CVE
CVE-2015-9230
Securin ID
2015-CSW-09-1005
Status
Fixed
Date
September 4, 2015
Severity
Medium
CVSS Score
4.8
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE
CWE-79
02/Proof of Concept
From one request to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
01Visit the following page on a site with this plugin installed.02http://yourwordpresssite.com/wordpress/wpadmin/admin.php?page=bulletproofsecurity/admin/db-backup-security/db-backup-security.php and modify the value of DBTablePrefix variable with “></script><script>alert(document.cookie);</script> payload and send the request to the server. Now, the added XSS payload is echoed back from the server without validating the input. It affects the wp-config.php file, $table_prefix, and corrupts the database connectivity.03Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to the wp-config.php file.04Define (‘DISALLOW_UNFILTERED_HTML’, true);05Users: You must be an Administrator and logged into the site as an Administrator to enter/test the XSS HTML testing code in the Randomly Generated DB Table Prefix Form text box. Please do not try this test if you are using a version of BPS versions. Entering an invalid DB Table Prefix name will crash your website.06Issue 1: The Post Request DBTable Prefix variable in the URL http://yourwordpresssite.com/wordpress/wpadmin/admin.php?page=bulletproofsecurity/admin/db-backup-security/db-backup-security.php is vulnerable to Cross-Site Scripting (XSS).07Figure 01:Invalid HTTP script Request sent to the server through the vulnerable DBTablePrefix variable in the URL http://localhost/wordpress/wpadmin/admin.php?page=bulletproof-security/admin/db-backup-security/db-backup-security.php08Figure 02: Echoed back HTTP Response without validation.09Figure 03: Response Executed in the browser with the Cookie value.10Figure 04: $table_prefix is also damaged with the given XSS Payload.11Figure 05: Error message after the payload gets executed in the browser.
03/Impact
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
An XSS vulnerability allows an attacker to inject malicious code into the applications via the DBTablePrefix parameter.
04/Remediation
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Download the latest updated version of the Nextgen plugin and apply the patch as per vendor advisory.
Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2015-9230, contact disclose@securin.io
05/Disclosure Timeline
Vendors moved in days. Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
Sep 04, 2015
Discovered in AIT Pro BulletProof Security Plugin.
Sep 04, 2015
Fixed in AIT Pro BulletProof Security Plugin Version .52.5.
Timeline recorded · Disclosure coordinated by Securin
06/References
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.