WordPress has issued fixes for two bugs rated “medium” in its tooltips plugin, including one that can allow bad actors to do anything an administrative user would be able to do on a WordPress site.
The Tooltipy plugin allows users to automatically create responsive “tooltip” boxes for technical keywords on webpages – allowing users to easily understand difficult terms while web surfing.
Both vulnerabilities — a reflected cross-site scripting glitch and a cross-site request forgery issue — have been addressed, according to an alert that dxw Advisories posted Tuesday.
The XSS glitch, rated 5.8 on the CVSS rating system, exists in the plugin’s glossary shortcode (also known as [kttg_glossary]). To leverage the vulns, a bad actor can create a page containing the shortcode; then add a specially crafted script to the end of the page’s URL. If an administrator is sent a link to the page and clicks on it, his or her browser could be hijacked by the person who sent them the link.
From there, the hijacked browser could then be made to do almost anything an admin user can normally do.
The second flaw, a CSRF vulnerability, has a CVSS summary score of 4.3, and exists in Tooltipy’s “KTTG Converter” feature, which allows users to import keywords from third-party plugins and add them to their Tooltipy glossary.
CSRF is an attack that tricks a web browser into executing an unwanted action in an application to which a user is logged in. This particular bug requires an attacker to convince an admin to follow a link, after which the bad actor can create duplicate posts, according to a second dxw advisory.
In a proof of concept, researchers found that an attacker could trick an administrator by sending them a link to a duplicated site.
More specifically, the bad actors could send a link with a specially crafted HTML code that lists specific pages from the website, which looks like this:
<form method=”POST” action=”http://localhost/wp-admin/tools.php?page=my_keywords_settings_importer”> <input type=”text” name=”go” value=”true”> <input type=”text” name=”bluet_posttypes_list” value=”post”> <input type=”submit”> </form>
Once the victim user or administrator clicks on the link, each post listed in the crafted code will show as a duplicate of the entire site.
“The most obvious malicious use of this vulnerability would be to fill up a disk or database quota, which might lead to denial of service or other issues,” the advisory said.
Both bugs were first discovered March 29, with a fix issued on May 21. Users need to upgrade to version 5.1 or later to stay safe, and, according to the advisory, users will “see an alert in browsers without XSS prevention such as Firefox.” Both were discovered by Tom Adams.
Weston Henry, lead security analyst at SiteLock, told Threatpost that social-engineering tactics may be used to take advantage of both bugs. “These vulnerabilities would need some type of social engineering – it’s a good vector for spear-phishing attacks targeting admins,” he said. “For bigger sites, it may have more implications, but right now it looks like this vulnerability is not really widespread and could be used for targeted attacks.”
Henry added that uploaders and XSS vulns are common in plugins – particularly WordPress plugins. In fact, he noted that in the fourth quarter of 2017, sites running WordPress with any number of plugins were twice as likely to be infected with malware.
“It’s hard to generalize, but we’ve seen a lot of arbitrary file uploads and uploaders, and XSS is also very common, which are dangerous because people don’t realize how dangerous they can be,” he said.