CSRF/Stored XSS in MSMC – Redirect After Comment could allow unauthenticated individuals to do almost anything

Score Vector Complexity Authentication Confidentiality Integrity Availability
5.8
Medium
Network Medium None Partial Partial None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Vulnerability

An unauthenticated individual can cause arbitrary JavaScript to execute within /wp-admin/ in the browser of a logged-in admin user. This could be achieved by sending a link to the admin user.

The attacker could use this to create a new user, create posts, add arbitrary PHP code (if the theme/plugin editor component is enabled) – almost anything a logged-in admin user can do.

Proof of concept

Step 1: Log in.

Step 2: Visit this URL to store the arbitrary HTML: http://localhost/wp-admin/options-general.php?page=msmc-comment-redirect&action=1&MSMC_redirect_location=http://localhost/?%22%3E%3Cscript%3Ealert(1)%3C/script%3E

Step 3: Visit this URL to execute the JavaScript: http://localhost/wp-admin/options-general.php?page=msmc-comment-redirect

Step 3 is unnecessary in browsers without XSS filtering (i.e. Firefox).

Mitigation/further actions

The plugin author has indicated that this plugin is abandonware and has unpublished it from the WordPress directory. Disable and uninstall the plugin as this bug won’t be fixed.