{"id":7452,"date":"2022-01-25T18:06:42","date_gmt":"2022-01-26T01:06:42","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7452"},"modified":"2023-04-05T12:35:28","modified_gmt":"2023-04-05T19:35:28","slug":"securin-discovers-a-xss-vulnerability-in-wordpress-post-duplicator-plugin","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/securin-discovers-a-xss-vulnerability-in-wordpress-post-duplicator-plugin\/","title":{"rendered":"Securin (previously CSW) Discovers a XSS Vulnerability in WordPress Post Duplicator Plugin"},"content":{"rendered":"

Cyber Security Works discovered and reported a Stored Cross-Site Scripting vulnerability in WordPress Post Duplicator Plugin that allows an authenticated attacker to inject a JavaScript payload into a trusted URL. This vulnerability has been credited with a CVE Identifier of CVE-2021-33852 and is rated as a medium severity with a CVSS v3 score of 6.1.<\/p>\n

 <\/p>\n

Post Duplicator is one of the most popular WordPress plugins, with over 200 thousand installations where users can clone posts of any type or copy them to new files for additional editing. Therefore, making this vulnerability seeks an immediate attention.<\/p>\n

 <\/p>\n

Proof-of-Concept<\/h2>\n

The following vulnerability was discovered in Post-Duplicator Plugin 2.23.<\/p>\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n\n\n
\n

Affected Product<\/p>\n<\/td>\n

\n

Post Duplicator version 2.23<\/p>\n<\/td>\n<\/tr>\n

\n

WordPress Version tested<\/p>\n<\/td>\n

\n

WordPress 5.8.2<\/p>\n<\/td>\n<\/tr>\n

\n

Vendor Homepage<\/a><\/p>\n<\/td>\n

\n

https:\/\/wordpress.org\/plugins\/post-duplicator\/<\/a><\/p>\n<\/td>\n<\/tr>\n

\n

Severity<\/p>\n<\/td>\n

\n

Medium<\/p>\n<\/td>\n<\/tr>\n

\n

CVSS Score<\/p>\n<\/td>\n

\n

6.1<\/p>\n<\/td>\n<\/tr>\n

\n

CWE ID<\/p>\n<\/td>\n

\n

CWE-79 {Improper Neutralization of Input During Web Page Generation}<\/p>\n<\/td>\n<\/tr>\n

\n

Vulnerability Type<\/p>\n<\/td>\n

\n

Cross-Site Scripting<\/p>\n<\/td>\n<\/tr>\n

\n

Request Type<\/p>\n<\/td>\n

\n

POST<\/p>\n<\/td>\n<\/tr>\n

\n

Vulnerable URL<\/p>\n<\/td>\n

\n

http:\/\/localhost\/wordpress\/wp-admin\/tools.php?page=mtphr_post_duplicator_settings_menu<\/a><\/p>\n<\/td>\n<\/tr>\n

\n

Vulnerable Variable\/Parameters<\/p>\n<\/td>\n

\n

mtphr_post_duplicator_settings[title], mtphr_post_duplicator_settings[slug]<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

Note: <\/strong>Here, localhost has been used for testing the application locally.<\/p>\n

    \n
  1. \n

    Login to the WordPress application.<\/p>\n<\/li>\n

  2. \n

    Install Post Duplicator Plugin.<\/p>\n<\/li>\n

  3. \n

    Go to the \u2018Tools\u2019 menu of WordPress and click on the \u2018Post Duplicator\u2019 button.<\/p>\n<\/li>\n<\/ol>\n

    <\/p>\n

    Figure 01: <\/strong>Post Duplicator Settings Page<\/p>\n

      \n
    1. \n

      Enter the payload – Duplicate Post\u201d><script>alert(document.cookie)<\/script> in the \u2018Duplicate Title\u2019 field (mtphr_post_duplicator_settings[title] parameter).<\/p>\n<\/li>\n<\/ol>\n

      <\/p>\n

      Figure 02: <\/strong>Entering\u00a0 XSS payload in the\u00a0 \u2018Duplicate Title\u2019 field<\/p>\n

        \n
      1. \n

        Enter the payload – Hello World!\u201d><script>alert(document.cookie)<\/script> in the \u2018Duplicate Slug\u2019 field (mtphr_post_duplicator_settings[slug] parameter).<\/p>\n<\/li>\n<\/ol>\n

        <\/p>\n

        Figure 03:<\/strong> Entering\u00a0 XSS payload in the\u00a0 \u2018Duplicate Slug\u2019 field<\/p>\n

          \n
        1. \n

          Click on the \u2018Save Changes\u2019 button to save changes.<\/p>\n<\/li>\n

        2. \n

          Go to the Post Duplicator Settings page at tools.php?page=mtphr_post_duplicator_settings_menu<\/p>\n<\/li>\n<\/ol>\n

          <\/p>\n

          Figure 04: <\/strong>Injected XSS payload is executed displaying an alert box with the contents of the user\u2019s cookies.<\/p>\n

            \n
          1. \n

            Another use case of this vulnerability is when the post is duplicated after injecting the XSS payload in the settings page.<\/p>\n<\/li>\n<\/ol>\n

            <\/p>\n

            Figure 05:<\/strong> Duplicate the \u201cHello world!\u201d post<\/p>\n

              \n
            1. \n

              Once the post is duplicated, the title of the duplicated post will append the name we specified in the mtphr_post_duplicator_settings[title] parameter.<\/p>\n<\/li>\n<\/ol>\n

              <\/p>\n

              Figure 06:<\/strong> Duplicated post with XSS Payload<\/p>\n

                \n
              1. \n

                Now navigate to the application root to view the posts.<\/p>\n<\/li>\n<\/ol>\n

                <\/p>\n

                Figure 07:<\/strong> Injected XSS payload is executed displaying an alert box with the contents of the user\u2019s cookies.<\/p>\n

                <\/p>\n

                Figure 08: <\/strong>The default cross-site scripting mitigation setting in wp.config file to prevent cross-site scripting attacks<\/p>\n

                 <\/p>\n

                Impact<\/h2>\n

                An attacker can perform the following:<\/p>\n

                  \n
                • \n

                  Inject malicious code into the vulnerable variable and exploit the application through the cross-site scripting vulnerability.<\/p>\n<\/li>\n

                • \n

                  Modify the code and get the session information of other users<\/p>\n<\/li>\n

                • \n

                  Compromise the user machine.<\/p>\n<\/li>\n<\/ul>\n

                  Remediation<\/h2>\n
                    \n
                  • \n

                    Perform context-sensitive encoding of entrusted input before it is echoed back to a browser using an encoding library throughout the application.<\/p>\n<\/li>\n

                  • \n

                    Implement input validation for special characters on all the variables reflected in the browser and stored in the database.<\/p>\n<\/li>\n

                  • \n

                    Explicitly set the character set encoding for each page generated by the webserver.<\/p>\n<\/li>\n

                  • \n

                    Encode dynamic output elements and filter specific characters in dynamic elements.<\/p>\n<\/li>\n<\/ul>\n

                     <\/p>\n

                    Timeline<\/h2>\n

                    Dec 28, 2021: Discovered in `Post Duplicator Plugin – 2.23` Product<\/p>\n

                    Dec 29, 2021: Reported to WordPress team<\/p>\n

                    Dec 31, 2021: Vendor fixed the issue<\/p>\n

                    Dec 31, 2021: CSW assigned the CVE Identifier (CVE-2021-33852)<\/p>\n

                    WordPress has a massive attack surface due to the large number of active installations. At any one time, attempts to break into WordPress sites are like a continual hum in the background of all internet traffic. Therefore, we urge users to patch this vulnerability immediately.<\/p>\n

                    Contribution Credits: Sriraam Natarajan<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

                    Cyber Security Works discovered and reported a Stored Cross-Site Scripting vulnerability in WordPress Post Duplicator Plugin that allows an authenticated attacker to inject a JavaScript payload into a trusted URL.<\/p>\n","protected":false},"author":7,"featured_media":7453,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":""},"categories":[82,80,109,127,154],"tags":[442,520,432,522,521],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7452"}],"collection":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/comments?post=7452"}],"version-history":[{"count":5,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7452\/revisions"}],"predecessor-version":[{"id":17381,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7452\/revisions\/17381"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media\/7453"}],"wp:attachment":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media?parent=7452"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/categories?post=7452"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/tags?post=7452"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}