Skip to content

Register IPs <= 1.8.0 - Unauthenticated Stored Cross-Site Scripting (XSS)

Summary

Description Details
Name Register IPs <= 1.8.0 - Unauthenticated Stored Cross-Site Scripting (XSS)
Summary Unauthenticated vulnerability in Register IPs while accepting IPs from X-FORWARDED-FOR HTTP header
Affected application Register IPs Wordpress Plugin
Affected revision < 1.8.1
Vendor update available Yes
CVE
Ids CWE-79
CVSSv3.0 Base Score 4.8
CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
Public Exploit available Not yet, but very simple
Exploit verified Yes
Authentication Required No

Vulnerable Code

## wp-content/plugins/register-ip-multisite/register-ip.php
 67         /**
 68          * Log the IP address
 69          *
 70          * @since 1.0
 71          * @access public
 72          */
 73         public function log_ip($user_id){
 74                 //Get the IP of the person registering
 75                 $ip = $_SERVER['REMOTE_ADDR'];
 76 
 77                 // If there's forwarding going on...
 78                 if ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
 79                         $http_x_headers = explode( ',', $_SERVER['HTTP_X_FORWARDED_FOR'] );
 80                         $ip             = $http_x_headers[0];
 81                 }
 82                 update_user_meta( $user_id, 'signup_ip', $ip ); //Add user metadata to the usermeta table
 83         }



 85         /**
 86          * Show the IP on a profile
 87          *
 88          * @since 1.0
 89          * @access public
 90          */
 91         public function edit_user_profile() {
 92                         $user_id = (int) $_GET['user_id'];
 93         ?>
 94                         <h3><?php _e( 'Signup IP Address', 'register-ip-mutisite' ); ?></h3>
 95                         <p style="text-indent:15px;"><?php
 96                         $ip_address = get_user_meta( $user_id, 'signup_ip', true );
 97                         echo $ip_address;
 98                         ?></p>
 99         <?php
100         }

Exploit Methodology

The attacker will have to do the following to exploit this vulnerability:-

  • First of all, the wordpress site needs to have user registration enabled, which is disabled by default. Also this plugin version has to be installed, which currently has a small user base of about 3K installations.
  • New user registration can be created as shown below. Wordpress user registration is already susceptible to CSRF.
http -v --form http://wpvdb9274.vulnsite.xxxxy/wp-login.php?action=register user_login=testu2 user_email=[email protected] redirect_to= wp-submit=Register  X-Forwarded-For:"<script>alert('pwned');</script>"
  • Attacker can inject malicious javascript code in payload
  • Any user viewing all users will be affected

Security Patch

--- a/wp-content/plugins/register-ip-multisite/register-ip.php
+++ b/wp-content/plugins/register-ip-multisite/register-ip.php
@@ -77,7 +77,7 @@ class Register_IP_Multisite {
        // If there's forwarding going on...
        if ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
            $http_x_headers = explode( ',', $_SERVER['HTTP_X_FORWARDED_FOR'] );
-           $ip             = $http_x_headers[0];
+           $ip             = sanitize_text_field( $http_x_headers[0] );
        }
        update_user_meta( $user_id, 'signup_ip', $ip ); //Add user metadata to the usermeta table
    }
@@ -94,7 +94,7 @@ class Register_IP_Multisite {
            <h3><?php _e( 'Signup IP Address', 'register-ip-mutisite' ); ?></h3>
            <p style="text-indent:15px;"><?php
            $ip_address = get_user_meta( $user_id, 'signup_ip', true );
-           echo $ip_address;
+           echo esc_html( $ip_address );
            ?></p>
    <?php
    }

References

https://wpvulndb.com/vulnerabilities/9274