Justin Massey

Justin Massey

Penetration Tester

Contact Me

Stored XSS in Easy WP SMTP,
A Wordpress Plugin

Disclosure Date: 4/11/17
Remediation Date: 4/13/17 (only partially remediated)

Description

The Easy WP SMTP plugin is vulnerable to two different classifications of vulnerabilities. The first is Stored Cross Site Scripting (XSS). The second is the SMTP password is masked in the password field for all admins to see.

Vulnerability One

Remediated in version 1.2.5 on 4/13/17
The Stored XSS affects two input fields:
  • swpsmtp_subject (a text input box)
  • swpsmtp_message (a textarea input field)
The following is a malicious XSS payload which can be sent to /wp-admin/options-general.php?page=swpsmtp_settings and targets the swpsmtp_subject parameter.
swpsmtp_to=test%40test.com&swpsmtp_subject=test%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&swpsmtp_message=&swpsmtp_test_submit=submit&swpsmtp_nonce_name=e61fbe8d0c&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dswpsmtp_settings
This payload closes the HTML input tag and executes a javascript alert window.

The following is another malicious XSS payload which can be sent to /wp-admin/options-general.php?page=swpsmtp_settings and targets the swpsmtp_message parameter.
swpsmtp_to=test%40test.com&swpsmtp_subject=test&swpsmtp_message=%3C%2Ftextarea%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&swpsmtp_test_submit=submit&swpsmtp_nonce_name=e61fbe8d0c&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dswpsmtp_settings
Note: Chrome will not execute this javascript because there is no “X-XSS-Protection” header set.
All other fields on the page are properly sanitized.

Remediation

WordPress provides built in functions to sanitize user input. In this case, the application needs to utilize the “sanitize_text_field()” function.
Vulnerable Code:
$swpsmtp_subject = isset($_POST['swpsmtp_subject']) ? $_POST['swpsmtp_subject'] : '';
$swpsmtp_message = isset($_POST['swpsmtp_message']) ? $_POST['swpsmtp_message'] : ‘';
Fixed Code:
$swpsmtp_subject = isset($_POST['swpsmtp_subject']) ? sanitize_text_field($_POST['swpsmtp_subject']) : '';
$swpsmtp_message = isset($_POST['swpsmtp_message']) ? sanitize_text_field($_POST['swpsmtp_message']) : ‘';
The second step is to encode the output properly. Wordpress makes available several esc_* helper functions.
  • For text input boxes use: esc_html()
  • For textareas use: esc_textarea()
Vulnerable Code
echo $smtp_test_mail['swpsmtp_subject']; 
echo $smtp_test_mail['swpsmtp_message'];
Fixed Code
echo esc_html($smtp_test_mail['swpsmtp_subject']);
echo esc_textarea($smtp_test_mail['swpsmtp_message']);

Vulnerability Two

This vulnerability was never remediated

SMTP password is masked in the password field for all admins to see.

People may disagree with this vulnerability, but let me explain my reasoning. Imagine there are several people administering the WordPress website. A benign user to this vulnerability may set his personal email username and password in this plugin. Any other user with access to this plugin would be able to unmask the password in the source code, thus stealing his credentials. Therefore, I recommend to not return the password of the SMTP account in the HTML.

Remediation
Simply remove the
echo esc_attr(swpsmtp_get_password());
from the password input field.