WordPress advisory: Akal premium theme XSS vulnerability

Over the course of one week I had the opportunity to audit two hacked WordPress websites. I could quickly discover two vulnerabilities: a Cross Site Scripting, or XSS, in a premium WordPress theme Akal, and a Denial-of-Service in an undisclosed newsletter plugin. This post describes the Akal premium WordPress theme XSS vulnerability.

I have to be honest, I’m not familiar with the Akal theme, it is removed from Themeforest and seems abandoned. Therefore I’m unable to come up with quick fixes or patches as they might break the theme completely. If you use this theme, please delete it immediately!

Akal premium WordPress theme Cross Site Scripting (XSS) vulnerability

The theme Akal is already pulled from ThemeForest, it looks like the theme author stopped this project. Since no updates are to be expected, my advice is to abandon this theme for your website if you use it.

The theme suffers from a reflected Cross Site Scripting (XSS) vulnerability that would allow an attacker to steal an admin’s cookie, if WordPress wasn’t secured against that type of attacks. Some information on that is available in my prettyPhoto XSS post from May 2014. However, you must be careful for the XSS watering hole-effect.

The vulnerable code is located in framework/brad-shortcodes/tinymce/preview.php:

<?php


require_once('get_wp.php'); 


$shortcode = base64_decode( trim( $_GET['sc'] ) );

?>
[...]
</style>
</head>
<body>
<?php echo do_shortcode( $shortcode ); ?>
</body>
</html>Code language: PHP (php)

There are so many wrongs in these few lines of PHP code. One is the contents of get_wp.php (see below) and the other is this code:

$shortcode = base64_decode( trim( $_GET['sc'] ) );Code language: PHP (php)

This uses an unvalidated $_GET input directly into a variable $shortcode, and is then used in the WordPress function do_shortcode(). So now I’m interested in the file get_wp.php contents:

<?php

$absolute_path = __FILE__;
$path_to_file = explode( 'wp-content', $absolute_path );
$path_to_wp = $path_to_file[0];


require_once( $path_to_wp . '/wp-load.php' );

?>Code language: PHP (php)

This simply loads wp-load.php and thus all of WordPress’ code. Without any validation whether the file was included correctly. Meaning you can call it directly in your browser.

If needed, always test whether the requested file was included correctly, for example use in your scripts:

if ( ! defined( 'ABSPATH' ) ) {
  exit;
}Code language: PHP (php)

Or:

if ( ! defined( 'YOUR_CONSTANT' ) ) {
  exit;
}Code language: PHP (php)

And use Nonces in WordPress and make sure Apache Access Control is correctly implemented in your .htaccess files.

In this particular case, WordPress’ do_shortcode() provides no additional security. In the developers documentation we find the source, and the relevant part is on lines 205 – 207:

if ( false === strpos( $content, '[' ) ) {
  return $content;
}Code language: PHP (php)

If no '[' is provided in $content, then simply return $content.

Knowing that, as long as we don’t provide a '[' our XSS payload is returned, we can start attacking it. You must have seen $shortcode = base64_decode( trim( $_GET['sc'] ) );, so our input has to be base64 encoded.

No problem there, just use bash :-) .

After a few tries I came up with the following XSS-payload, that successfully alerted me of the XSS:

echo -n '<script>alert("xss </script%3E")</script>' | base64
PHNjcmlwdD5hbGVydCgieHNzIDwvc2NyaXB0JTNFIik8L3NjcmlwdD4=Code language: Bash (bash)

PoC URL:

http: 
I’ve tried to contact the theme author bradweb but all links are dead ends. I haven’t check for other vulnerabilities in this theme yet.
 
Looking for a WordPress Plugin Security Tersting Cheat Sheet? Ryan Dewhurst created one, use it wisely! 
 
WPScan Vulnerability Database ID: 8607.
 
Show Your Support
If you want to step in to help me cover the costs for running this website, that would be awesome. Just use this link to donate a cup of coffee ☕($10 USD or €10 EUR for example). And please share the love and help others make use of this website. Thank you very much! <3 ❤️
 
 
Related
 
Tweet
Share
Share
Pin
0 Shares