Persistent XSS Flaws Patched in Popular WordPress Plugins

Persistent cross-site scripting (XSS) vulnerabilities were patched over the past several days in three popular WordPress plugins, including Activity Log, All in One SEO Pack, and WP Live Chat Support.

Of the three, the XSS in All in One SEO Pack is the security issue with the highest impact, given that the plugin has over one million installs and is reportedly the most downloaded plugin for WordPress. Designed to help site admins to automatically optimize their site for search engines, the All in One SEO Pack contains a bug in the Bot Blocker functionality.

David Vaartjes, who discovered the vulnerability, explains in an advisory that an attacker exploiting the issue could steal Administrators’ session tokens or perform arbitrary actions on their behalf. The researcher also explains that “an anonymous user can simply store his XSS payload in the Admin dashboard by just visiting the public site with a malformed User Agent or Referrer header.”

The Bot Blocker functionality allows admins to prevent certain bots from accessing / crawling the website. Bots are detected based on User Agent and Referrer header patterns, and a 404 is returned when a request is blocked. A “Track Blocked Bots” setting allows for blocked requests to be logged in the HTML page, but the logging is performed without proper sanitization or output encoding, allowing XSS, the researcher found.

The vulnerability was tested in All in One SEO Pack version 2.3.6.1, but Semper Fi Web Design, the plugin’s developer, has released a fix for it in version 2.3.7 last week. Admins using the plugin are advised to update their installation as soon as possible or to disable the “Track Blocked Bots” setting to ensure they are protected.

The stored XSS bugs in Activity Log and WP Live Chat Support plugins were both discovered by the same researcher, Han Sahin, and both can be exploited to inject malicious JavaScript code into the application. Although not as popular as SEO Pack, these plugins still have 30,000+ and 20,000+ installations, respectively, putting tens of thousands of users at risk.

Activity Log doesn’t sufficiently check input supplied to the X-Forwarded-For HTTP header and fails to encode the output when the input is presented in a “wrong password event,” which results in the malicious request to be stored in the Activity Log page. An attacker can exploit the flaw to steal victims’ session tokens or login credentials, perform arbitrary actions on their behalf, and log their keystrokes or deliver malware, the bug’s advisory reveals.

The WP Live Chat Support plugin uses the Referrer header to present the current page on which the chat is initiated to backend (wp-admin) chat users, but doesn’t properly output encode the URL retrieved from the database, which results in a persistent XSS, the advisory reads. The flaw allows an attacker to perform actions on behalf of a logged on WordPress user, such as stealing victims’ session tokens or login credentials, performing arbitrary actions on their behalf, and logging keystrokes.

WordPress Activity Log version 2.3.1 and WP Live Chat Support version 6.2.00 were found to be vulnerable, but both vulnerabilities were resolved in version 2.3.2 of Activity Log and version 6.2.02 of the WP Live Chat Support plugin. As always, admins are advised to update their installations as soon as possible.

Related: Backdoor in WordPress Plugin Steals Admin Credentials

Related: Hacked WordPress Sites Target Random Users