Vulnerability in [bw_button] shortcode leading to XSS

[bobbingwide]

Vulnerability Title: oik <= 4.10.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via bw_button Shortcode CVE ID: CVE-2024-6391 CVSS Severity Score: 6.4 (Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Organization: Wordfence Vulnerability Researcher(s): Rafshanzani Suhada

Description The oik plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bw_button shortcode in all versions up to, and including, 4.10.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Additional notes

While trying to reproduce a responsibly disclosed issue I encountered a Deprecated message.

Deprecated: ltrim(): Passing null to parameter #1 ($string) of type string is deprecated 
in C:\apache\htdocs\oikcom\wp-includes\formatting.php on line 4494

0. bw_lazy_backtrace C:\apache\htdocs\wordpress\wp-content\plugins\oik-bwtrace\libs\bwtrace.php:108 0
1. bw_backtrace C:\apache\htdocs\wordpress\wp-content\plugins\oik-bwtrace\includes\bwtrace-actions.php:293 0
2. bw_trace_error_handler(8192,ltrim(): Passing null to parameter #1 ($string) of type string is deprecated,C:\apache\htdocs\oikcom\wp-includes\formatting.php,4494) C:\apache\htdocs\wordpress\wp-content\plugins\oik-bwtrace\includes\bwtrace-actions.php:0 4
3. ltrim(null) C:\apache\htdocs\oikcom\wp-includes\formatting.php:4494 1
4. esc_url(null) C:\apache\htdocs\wordpress\wp-content\plugins\oik-bwtrace\libs\bobbfunc.php:262 1
5. retlink(button  " onmouseover=alert(5),null,dummy,dummy,null,null) C:\apache\htdocs\wordpress\wp-content\plugins\oik\libs\class-BW-.php:55 6
6. alink(button  " onmouseover=alert(5),null,dummy,dummy) C:\apache\htdocs\wordpress\wp-content\plugins\oik\includes\bobbcomp.php:741 4
7. art_button(null,dummy,dummy, " onmouseover=alert(5)) C:\apache\htdocs\wordpress\wp-content\plugins\oik\shortcodes\oik-button.php:40 4
8. bw_button_shortcodes(array,,bw_button) C:\apache\htdocs\wordpress\wp-content\plugins\oik\libs\oik-shortcodes.php:229 3
9. bw_shortcode_event(array,,bw_button) C:\apache\htdocs\oikcom\wp-includes\shortcodes.php:433 3
10. do_shortcode_tag(array) C:\apache\htdocs\wordpress\wp-content\plugins\oik-css\includes\shortcodes-earlier.php:118 1
11. do_shortcode_tag_earlier(array) C:\apache\htdocs\wordpress\wp-content\plugins\oik-css\includes\shortcodes-earlier.php:0 1
12. preg_replace_callback(/\[(\[?)(bw_button|bw_code)(?![\w-])([^\]\/]*(?:\/(?!\])[^\]\/]*)*?)(?:(\/)\]|\](?:([^\[]*+(?:\[(?!\/\2\])[^\[]*+)*+)\[\/\2\])?)(\]?)/,do_shortcode_tag_earlier,

[bobbingwide]

I reproduced the example in a shortcode example for [bw_button] and have implemented a fix in libs/bobbfunc.php

The vulnerability is associated with not dealing correctly with double quotes in the shortcode attribute content. With the specific example

[bw_link class=' " onmouseover=alert(5) '] 

the code was generating another attribute after the class attribute. As you can see this contains JavaScript, which is run when the post has been published and viewed and the link hovered over.

Note: The JavaScript in the example is benign.

Proposed solution

Rather than implement sanitization when the post is created - to trap an unscrupulous contributor - we ensure that each attribute is escaped using esc_attr().

We can't change the kv() function, since it may be used legitimately, so we change the relevant calls to kv() in retlink()

$link .= kv( "class", esc_attr( $class ) );
$link .= kv( "id", esc_attr( $id ) );

the effect of esc_attr() on " onmouseover=alert(5) is to convert the double quote to an escaped character. " onmouseover=alert(5)

These will be invalid CSS class names, but more importantly, the onmouseover attribute is disabled.

[bobbingwide]

Fixed in oik v4.12.0 and oik-bwtrace v3.4.7. See https://www.oik-plugins.com/shortcode_example/bw_button-security-fix-2/