Ultimate Instagram Feed <= 1.3 - Authenticated Cross-Site Scripting (XSS)

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Author: OmarK <http://omark.me/>

The vulnerability lies in the "*access_token*" parameter and can cause
reflected *XSS* vulnerability.

The issue is on the file
*ultimate-instagram-feed/admin/partials/uif-access-token-display.php* line
19:

<input id='uif_access_token' type="text" class="regular-text"
name="uif_access_token" value="<?php if(get_option('uif_access_token')){echo
get_option('uif_access_token');}elseif(isset($_GET['access_token'])){*echo
$_GET['access_token'];*} ?>">

the vulnerable code is the following:
*echo $_GET['access_token'];*

There is an echo of the variable "access_token", which can be controlled by
the user. This leads to reflected XSS vulnerability.

A logged in Administrator, who will click on the specially crafted link, he will
introduced with a video as presented in the attached PoC picture. When he
will click the video, the JavaScript code (an alert box for this poc) will
be executed.

I used this kind of payload in order to bypass the Chrome XSS Auditor. The
vulnerability has been tested against:

   - Ultimate Instagram Feed Version: 1.2
   - WordPress 4.8.3 running Twenty Seventeen theme.
   - Chrome Version 61.0.3163.100 (Official Build) (64-bit)

*Timeline*:

31 Oct 2017: Initial Contact.
31 Oct 2017: Vendor replies and asks for more information.
1 Nov 2017: Details have been provided to the vendor.
2 Nov 2017: WordPress has been informed/WordPress team Requests more
information and receives them.
4 Nov 2017: WordPress acknowledges
4 Nov 2017: Vendor releases version 1.3 which fixes the issue.
8 Nov 2017: Public Disclosure

gr33tz for the payload @brutelogic (https://brutelogic.com.br/blog/chrome-xss-auditor-svg-bypass/)
Proof of Concept
http://*yoursite*/wp-admin/admin.php?page=ultimate-instagram-f
eed.php&access_token=%22%3E%3Cbr%3E%3C%2Fbr%3EPlease+Watch+the+video+before+
proceeding%3A%3Cbr%3E%3Cbr%3E%3Csvg+width%3D12cm+height%3D9cm%3E%3Ca%3E%
3Cimage+href%3D%2F%2Fbrutelogic.com.br%2Fyt.jpg+%2F%3E%3Canimate+
attributeName%3Dhref+values%3Djavas%26%2399ript%3Aalert%
28document.cookie%29%3E

Affects Plugin

fixed in version 1.3.1

References

CVE 2017-16758
URL https://plugins.trac.wordpress.org/changeset/1758562/ultimate-instagram-feed
URL https://plugins.trac.wordpress.org/changeset/1759172/ultimate-instagram-feed

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter Dimopoulos Elias
Submitter Website https://gr.linkedin.com/in/dimopouloselias/
Submitter Twitter DimopoulosElias
Views 111
Verified No
WPVDB ID 8947

Timeline

Publicly Published 2017-11-08 (12 days ago)
Added 2017-11-09 (10 days ago)
Last Updated 2017-11-12 (7 days ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.