WordPress Plugin - EU Cookie Law (GDPR) - Stored XSS
Vulnerability Overview
The eu-cookie-law plugin through 3.0.6 for WordPress (aka EU Cookie Law (GDPR)) is susceptible to Stored XSS due to improper encoding of several configuration options in the admin area and the displayed cookie consent message. This affects Font Color, Background Color, and the Disable Cookie text. An attacker with high privileges can attack other users.
- Identifier : SBA-ADV-20190913-01
- Type of Vulnerability : Cross-site Scripting
- Software/Product Name : EU Cookie Law (GDPR)
- Vendor : Alex Moss, Marco Milesi
- Affected Versions : <= 3.0.6 and possibly upwards
- Fixed in Version : -
- CVE ID : CVE-2019-16522
- CVSSv3 Vector : AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
- CVSSv3 Base Score : 3.5 (Low)
Vendor Description
EU Cookie Law is a light, elegant and powerful solution to comply european cookie law and GDPR, with popup and options to lock scripts before acceptance.
Various customizations included to perfectly fit your website and keep cookies under control (before and after the consent).
Simply install the plugin and follow the instructions on the Settings page.
Active Installations: 100,000+
Source: https://wordpress.org/plugins/eu-cookie-law/
Impact
By exploiting the documented vulnerability, an authenticated attacker with high privileges (admin) can execute JavaScript code in a victim's browser. This can be misused, e.g for phishing attacks by displaying a fake login form and sending the victim's credentials to the attacker. Furthermore malicious actions can be performed in the context of an authenticated user. The impact depends on the level of access of the attacked user.
Vulnerability Description
In the configuration area /wp-admin/options-general.php?page=peadig_eucookie
an admin can set several options for the plugin. Most of them are correctly
escaped before inserted in the HTML page. However three values of settings can
be exploited to insert arbitrary JavaScript and HTML.
Those are:
- Font Color
- Background Color
- "Disable Cookie" Text
The value of "Fontcolor" will be inserted on every page where the cookie consent message is shown. The other two are by default only exploitable in the admin area.
Proof of Concept
This example shows how an attacker can exploit this vulnerability through the
value of "Font Color": By setting the value #FFFFFF"><script>alert(1)</script>,
an attacker can break out of the HTML attribute and insert a script tag containing
JavaScript. In this example a simple alert-popup-box will be shown.
So when the attacker sends the following HTTP-Request:
POST /wp-admin/options.php HTTP/1.1
[...]
[...]peadig_eucookie%5Bfontcolor%5D=%23FFFFFF%22%3E%3Cscript%3Ealert%281%29%3C/script%3E[...]In the admin area, the resulting HTML page looks like the following (shortened for readability):
[...]
<input id="fontcolor" type="text" name="peadig_eucookie[fontcolor]" value="#FFFFFF">
<script>alert(1)</script>
" class="color-field" data-default-color="#ffffff"/>
[...]On the page with the cookie message the payload will be inserted multiple times. The resulting HTML looks like the following (shortened for readability):
[...]
<!-- Eu cookie Law 3.0.6 -->
<div class="pea_cook_wrapper pea_cook_bottomcenter" style="color:#FFFFFF">
<script>alert(1)</script>
;background:rgb(0,0,0);background: rgba(0,0,0,0.85);">
[...]Recommended Countermeasures
We recommend to escape the values using the esc_attr-function provided by WordPress.
Timeline
2019-09-04Identified the vulnerability2019-09-06Contacted the authors2019-09-06Response by authors about disclosure contact2019-09-09Disclosed vulnerability to the authors2019-09-20CVE assigned2019-09-20Asked authors again for fix2019-10-16Public disclosure, because authors did not respond
References
- https://wordpress.org/plugins/eu-cookie-law/
- https://wordpress.org/plugins/eu-cookie-law/#developers
Credits
- Tobias Fink (SBA Research)