------------------------------------------------------------------------ Cross-Site Scripting vulnerability in WP-SpamFree Anti-Spam WordPress Plugin ------------------------------------------------------------------------ Radjnies Bhansingh, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A reflected Cross-Site Scripting vulnerability exists in the WP-SpamFree Anti-Spam WordPress plugin. This vulnerability allows an attacker to perform any action with the privileges of the target user. The affected code is not protected with an anti-Cross-Site Request Forgery token. Consequently, it can be exploited by luring the target user into clicking a specially crafted link or visiting a malicious website (or advertisement). ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160712-0026 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was succesfully tested on the WP-SpamFree Anti-Spam [2] WordPress Plugin version 2.1.1.4. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ There is currently no fix available. ------------------------------------------------------------------------ Introduction ------------------------------------------------------------------------ A reflected Cross-Site Scripting vulnerability exists in the WP-SpamFree Anti-Spam WordPress plugin. This vulnerability allows an attacker to perform any action with the privileges of the target user. The affected code is not protected with an anti-Cross-Site Request Forgery token. Consequently, it can be exploited by luring the target user into clicking a specially crafted link or visiting a malicious website (or advertisement). ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ The vulnerability exists in the wp-spamfree.php file on line 6049: $blacklist_keys_update = trim(stripslashes($_REQUEST['wordpress_comment_blacklist'])); In order to exploit this issue the target user must click a specially crafted link or visit a malicious website (or advertisement) and must be autenticated within WordPress. In addition the WordPress specific blacklist can be cleared by using the request below and employing CSRF. ------------------------------------------------------------------------ Proof of concept ------------------------------------------------------------------------ The following proof of concept code demonstrates this issue:
------------------------------------------------------------------------ References ------------------------------------------------------------------------ [1] https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_wp_spamfree_anti_spam_wordpress_plugin.html [2] https://wordpress.org/plugins/wp-spamfree/