IMPress for IDX Broker < 2.6.2 - Authenticated Stored Cross-Site Scripting (XSS) via unprotected 'idx_update_recaptcha_key' AJAX



Description
The IMPress for IDX Broker plugin contains a captcha feature to prevent spam submissions. Since it uses Google’s ReCAPTCHA service, it requires an API key. Unfortunately, the AJAX action the plugin registered to update this API key did not use capability checks or nonce checks.

This made it  possible for a logged-in attacker with minimal permissions, such as a subscriber, to send a request to wp-admin/admin-ajax.php with the action parameter set to idx_update_recaptcha_key and the idx_recaptcha_site_key parameter set to a malicious JavaScript, which could then be executed in an administrator’s browser the next time they visited the plugin’s settings panel.

Affects Plugin

fixed in version 2.6.2

References

CVE 2020-11512
URL https://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-impress-for-idx-broker/

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Ramuel Gall (Wordfence)
Submitter Ramuel Gall
Views 755
Verified No
WPVDB ID 10152

Timeline

Publicly Published 2020-03-26 (2 months ago)
Added 2020-03-26 (about 2 months ago)
Last Updated 2020-04-09 (about 2 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin