WordPress Calls To Action 2.4.3 Cross Site Scripting Vulnerability

Summary

    High-Tech Bridge Security Research Lab discovered two Cross-Site Scripting (XSS) vulnerabilities in a popular WordPress plugin Calls to Action. A remote attacker might be able to steal user's and administrator’s cookies, credentials and browser history, modify web page content to perform phishing attacks, or even to perform drive-by-download attacks by injecting malware into website pages when the victim follows a specially crafted link with XSS exploit.

    1. Input passed via the "open-tab" HTTP GET parameter is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

    A simple XSS exploit below will display JavaScript popup with "ImmuniWeb" word, when the logged-in administrators follows the malicious link:

    http://[host]/wp-admin/edit.php?post_type=wp-call-to-action&page=wp_cta_global_settings&open-tab='>[removed]alert(ImmuniWeb);[removed]

    2. Input passed via the "wp-cta-variation-id" HTTP GET parameter is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

    A simple XSS exploit below will display JavaScript popup with "ImmuniWeb" word, when the victim follows the malicious link:

    http://[host]/cta/ab-testing-call-to-action-example/?wp-cta-variation-id='">[removed]alert(ImmuniWeb);[removed]

Solution

    1. Modify the source code, strict filtering parameters similar "<" and ">" and all special characters that May cause the Cross Site Scripting attack;

    2. Update to Calls to Action 2.5.1

    3. If you have purchased NGAF appliance, update WAF signature database to version 20151218 or above.