PHP_SELFish Part 1 – Reflected XSS in underConstruction Plugin

Today’s post is part one of a two part blog post. It describes a cross site scripting vulnerability that exploits the PHP_SELF variable. Tomorrow we will publish part two, which describes another plugin suffering from a similar vulnerability related to the use of PHP_SELF. So be sure to look out for that post via our mailing list, which you can join on this page, in case you’re not already a member.

On August 16, 2021, the Wordfence Threat Intelligence team attempted to initiate disclosure for a reflected Cross-Site Scripting vulnerability in underConstruction, a WordPress plugin with over 80,000 installations.

After 2 weeks without a response, we forwarded the issue to the WordPress plugins team on August 30, 2021. A patched version, 1.19, was released the next day, on August 31, 2021.

A firewall rule protecting against this vulnerability was released to Wordfence Premium users on August 16, 2021, and became available to sites using the free version of Wordfence on September 15, 2021.

If you aren’t running Wordfence, and are a user of this plugin, we recommend you immediately upgrade to version 1.19 of underConstruction which contains the patch.


Description: Reflected Cross-Site Scripting
Affected Plugin: underConstruction
Plugin Slug: underconstruction
Affected Versions: <= 1.18
CVE ID: CVE-2021-39320
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Ramuel Gall
Fully Patched Version: 1.19

The underConstruction plugin options page contained a settings form which echoed out the value of the  $GLOBALS['PHP_SELF'] variable as its submission target.

		<form method="post"
			action="<?php echo $GLOBALS['PHP_SELF'] . '?page=' . $this->mainOptionsPage; ?>"
			id="ucoptions">

PHP_SELF stores the path of the currently running script, so it’s a simple way to get a form to submit to itself. Sites running Apache and modPHP store additional path information after the filename in PHP_SELF by default, for example, examplesite.com/index.php/extrapath. Unfortunately this meant that JavaScript could be added to the path itself, for example:

<siteURL>/wp-admin/admin.php//index"/><svg/onload=alert(/xss/)>?page=under-construction

 

If an attacker was able to trick an administrator into clicking a crafted link, it could be used to execute JavaScript in that administrator’s session, which could be used to add a malicious admin user, or install a backdoor on the site, leading to site takeover.

Sites running Nginx or Apache+PHP-FPM do not store the additional path information required for the vulnerability to work by default, but some shared hosting providers may enable this functionality for compatibility with other software.

Timeline

August 16, 2021 – Wordfence Threat Intelligence finds the vulnerability and attempts to contact the plugin developer. We release a firewall rule to protect Wordfence Premium users.
August 30, 2021 – After 2 weeks without a response we contact the WordPress plugins team.
August 31, 2021– A patched version of the plugin is made available.
September 15, 2021 – Sites running the free version of Wordfence receive the firewall rule.

Conclusion

In today’s article, we covered a reflected Cross-Site Scripting(XSS) vulnerability in the underConstruction plugin which could be used to execute malicious JavaScript in an administrator’s session and take over a site. While XSS vulnerabilities targeting PHP_SELF are no longer as common as they were in the past due to growing use of best practices, such as escaping output and using built-in WordPress functions to securely save options, they can still be found from time to time.

During the research that led us to this vulnerability, we found a second, similar vulnerability in another plugin with over 40,000 installations, which we’ll cover in more detail in tomorrow’s post.

WordPress Premium users have been protected against this vulnerability since August 16, 2021. Sites still running the free version of Wordfence received the same protection on September 15, 2021. Nonetheless we strongly recommend updating to the latest version available, 1.19, as soon as possible.

If you believe your site has been compromised as a result of this or any other attack, Wordfence offers professional Site Cleaning services. Our Security Analysts remove any malware found, and also determine the intrusion vector if possible, as well as providing recommendations to prevent future infections.

If anyone you know is using the underConstruction plugin, please forward this article to them and encourage them to update.

The post PHP_SELFish Part 1 – Reflected XSS in underConstruction Plugin appeared first on Wordfence.

More great articles

Zero-Day RCE in vBulletin v5.0.0-v5.5.4

A new remote code execution (RCE) zero-day vulnerability has been disclosed by an anonymous researcher on the full disclosure mailing…

Read Story

WordPress 5.4.2 Patches Multiple XSS Vulnerabilities

WordPress Core version 5.4.2 has just been released. Since this release is marked as a combined security and bug fix…

Read Story

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 6, 2023 to November 12, 2023)

Wordfence just launched its bug bounty program. Over the next 6 months, all awarded bounties receive a 10% bonus. View the…

Read Story

Emergency WordPress Help

One of our techs will get back to you within minutes.