bookmark_borderWP-Live Chat by 3CX < 8.2.0 - Authenticated Stored Cross-Site Scripting

https://chevonphillip.com/wp-content/uploads/2020/07/3CX-WP-Live-Chat-XSS-1.mp4

There is a Stored Cross-Site Scripting (XSS) in WP-Live Chat by 3CX v. 8.1.9 By 3CX within the Quick Response function. Due to the nature of this vulnerability, a malicious attack with access to a WordPress multisite and permissions to this plugin can craft a malformed JavaScript payload.

https://wpvulndb.com/vulnerabilities/10303

bookmark_borderStored XSS – ImageBoss Plugin v.3.0.4 In WordPress v.5.4.1

Vulnerability Class: XSS | Vulnerable Product: ImageBoss v.3.0.4

What is ImageBoss?

Content-aware image resizing, cropping, compression, cache, and globally deliver. All web development best practices, hassle-free in one simple and powerful API.ImageBoss is a tool in the Image Processing and Management category of a tech stack.

Vulnerable Code

Settings.php contains a line of code that creates an input field and echo the value of the input back to the DOM with the following PHP code <?php echo get_option(‘ibup_imageboss_source’) ?> .

<input
        id="ibup_imageboss_source"
        name="ibup_imageboss_source"
        placeholder="mywordpress-images"
        style="width: 300px"
        value="<?php echo get_option('ibup_imageboss_source') ?>"
    /> <br /> <br />

Contents of the Settings.php File

<?php
function image_boss_settings() {
?>

<form method="post" action="options.php" id="image_boss_settings">
  <div class="wrap">
    <h2>ImageBoss</h2>

    <?php if (isset($_GET['settings-updated'])) { ?>
      <div class='updated'><p>You have successfully saved the settings.</p></div>
    <?php } ?>

    <h3>Step 1: Account</h3>
    <p>Create your <a href="https://imageboss.me/" target="_blank">ImageBoss Account</a>.</p>

    <h3>Step 2: Image Source</h3>
    <p>
      Connect ImageBoss to your images on <a target='_blank' href='https://imageboss.me/dashboard'>ImageBoss Dashboard</a> by adding your image source.
    </p>
    <?php settings_fields('imageboss-settings-group'); ?>

    <h3>Step 3: Source Name</h3>
    <p>This is the name you gave to your Image Source on Step 2.</p>
    <input
        id="ibup_imageboss_source"
        name="ibup_imageboss_source"
        placeholder="mywordpress-images"
        style="width: 300px"
        value="<?php echo get_option('ibup_imageboss_source') ?>"
    /> <br /> <br />
    <h3>Activate</h3>
    <input
      type="checkbox"
      id="ibup_imageboss_active"
      name="ibup_imageboss_active"

      value="true"
      <?php echo get_option('ibup_imageboss_active') ? 'checked' : '' ?>
    /> <label for="ibup_imageboss_active">If you have all set, check this box to activate ImageBoss on your images.</label>
    <h3>Advanced Configurations</h3>
    <p>By default ImageBoss will wrap all your images. If you don't want this to happen you can add bellow the hosts you want ImageBoss to intercept:</p>
      <textarea
        id="ibup_imageboss_hosts"
        name="ibup_imageboss_hosts"
        rows="4" cols="80"
      ><?php echo get_option('ibup_imageboss_hosts') ?></textarea> <br /> <br />
    <input type="submit" class="button-primary" value="Save Changes" />
  </form>

  </div> <br /> <br /> <br /> <br />
  <div>
    <h3>Useful Links</h3>
    <a class='button action' target='_blank' href='https://imageboss.me/pricing'>Create Account</a>
    <a class='button action' target='_blank' href='https://imageboss.me/dashboard'>ImageBoss Dashboard</a>
    <a class='button action' target='_blank' href='https://imageboss.me/docs'>ImageBoss Docs</a>
    <a class='button action' target='_blank' href='https://github.com/imageboss/imageboss-wordpress'>Plugin Documentation</a>
    <a class='button action' target='_blank' href='https://github.com/imageboss/imageboss-wordpress/issues'>Report a Bug</a>
  </div>
<?php
}

Exploit and Payload In Action

chevonphillip"><img src=x onerror=alert(1337);>"

Video PoC

https://chevonphillip.com/wp-content/uploads/2020/07/imageboss-3.0.4-xss.mp4

Recommended Fix

https://www.php.net/manual/en/filter.filters.sanitize.php

Vendor Fix

Thank you @igorescobar for fixing this bug in a timely manner.

https://github.com/imageboss/imageboss-wordpress/issues/2

https://plugins.trac.wordpress.org/browser/imageboss/trunk/admin/screens/settings.php?annotate=blame&rev=2302400


Timeline

  • 04/30/2020 – CVE requested from cve.mitre.org.
  • 04/30/2020 – Write-up created pending public disclosure.
  • 05/01/2020 – Reported Vulnerability to the vendor.
  • 05/01/2020 – Reported to WordPress Plugin Security Team.
  • 05/11/2020 – Reply from the vendor.
  • 05/11/2020 – Bug fixed in v.3.0.6.