safe-editor <= 1.1 - Unauthenticated CSS/JS-injection

Sign up to our free email alerts service for instant vulnerability notifications!

Description
When saving JS/CSS in this plugin then both private and public ajax-hooks are being used. Because of this anyone can post JS/CSS that are saved to the db and printed to the head and footer portion of the page.
Proof of Concept
In the file "index.php" (in root folder) on line 188 and 189 you can see that both private and public ajax-hooks are called and is referencing to the function "se_save".
This function does not do any authentication check or string sanitizing. Therefore you can inject whatever you want where the "wp_footer" and "wp_head" is called. With the use of for example cUrl or the chromeapp Postman this can be exploited with ease.

Example:
URL: http://www.site.com/wp-admin/admin-ajax.php

(Postdata displayed in JSON)

# JS injection
{
  type: 'js',
  data: 'alert("Hello world!");',
  action: 'se_save'
}

# CSS injection
{
  type: 'css',
  data: 'body { display: none !important; }',
  action: 'se_save'
}

Affects

Plugin safe-editor
fixed in version 1.2

References

URL https://wordpress.org/plugins/safe-editor/changelog/
URL https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=1416364%40safe-editor%2Ftrunk&old=1067776%40safe-editor%2Ftrunk

Classification

Type AUTHBYPASS
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-287

Miscellaneous

Submitter Robert Sæther
Submitter Twitter robsat91
Views 67
Verified No
WPVDB ID 8497

Timeline

Publicly Published 2016-05-06 (7 months ago)
Added 2016-05-17 (7 months ago)
Last Updated 2016-05-17 (7 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.