TycheSoftwares / product-delivery-date-for-woocommerce-lite

Product Delivery Date plugin for WooCommerce - Lite
2 stars 2 forks source link

Product Delivery Date for WooCommerce – Lite <= 2.7.3 - Reflected Cross-Site Scripting #196

Closed oluisrael11 closed 4 weeks ago

oluisrael11 commented 4 weeks ago

Prerequisites

Describe the bug

The Wordfence security team disclosed a vulnerability to us in which the security team found out that the Product Delivery Date for WooCommerce – Lite plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of _add_query_arg_ without appropriate escaping on the URL in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This is only exploitable when notices are present.

Steps to reproduce

  1. Install WooCommerce
  2. Install Product Delivery Date for WooCommerce - lite
  3. Visit: http://localhost/wp-admin/index.php?a=1&">

The vulnerable code is in: includes/component/pro-notices-in-lite/ts-pro-notices.php

Line 102 -> 104

$add_query_arguments = add_query_arg( self::$plugin_prefix . '_first_notice_ignore', '0' );
$cancel_button = '<a href="'.$add_query_arguments.'" class="dashicons dashicons-dismiss dashicons-dismiss-icon" style="position: absolute; top: 8px; right: 8px; color: #222; opacity: 0.4; text-decoration: none !important;"></a>';

printf( '<div class="%1$s" style="%2$s"><p>%3$s %4$s</p></div>', $class, $style, self::$ts_pro_notices[1], $cancel_button );_

This notice is user-specific, so it is more available than a globally dismissed notice.

Additional functionality is present to trigger notices with the same vulnerability, potentially 8-9 times every 15, then 7 days per user.

According to the researcher that discovered this vulnerability, the time is never initialized leading to the immediate availability of the notice on install but the additional later notices in the same file do not trigger.

Public known reference: https://plugins.trac.wordpress.org/browser/product-delivery-date-for-woocommerce-lite/trunk/includes/component/pro-notices-in-lite/ts-pro-notices.php#L102

Thanks to the vulnerability researcher, vgo0, for sharing the proof of concept and steps to recreate this.

Expected behavior

The Wordfence team recommends using one of the built-in WordPress sanitization and/or escaping functions before saving user input data to the database and when displaying it on output.

References on how to go about the sanitization and escaping functions can be found via: https://developer.wordpress.org/apis/security/sanitizing/ & https://developer.wordpress.org/apis/security/escaping/

Isolating the problem

Additional field

Additional details, references, and credits can be found below:

Vulnerability Title: Product Delivery Date for WooCommerce – Lite <= 2.7.3 - Reflected Cross-Site Scripting CVE ID: CVE-2024-9345 CVSS Severity Score: 6.1 (Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Organization: Wordfence Vulnerability Researcher(s): vgo0 Honorable mention: Wordfence security team

https://support.tychesoftwares.com/conversation/4826

oluisrael11 commented 4 weeks ago

GitHub issue 196