Wordpress security

Stored Cross-Site Scripting in Popular WordPress Plugin Blog Designer

May 1, 2019 by Luka Šikić

Earlier this month, unauthenticated cross-site scripting vulnerability was found in the popular WordPress plugin Blog Designer that counts more than 30,000 active installations.

wordpress plugin blog designer
Screenshot from: https://wordpress.org/plugins/blog-designer/

As you can assume from the plugin name, it allows you to change the style of your WordPress website. The vulnerable component of the plugin is in the function that is in charge of updating plugin settings.

WordPress Plugin Blog Designer

Unfortunately, the mentioned component doesn’t check if the user is logged in or have the privilege to update plugin settings. Another problem is that developers, once again rely on ‘admin_init’ event which fires on every page that is part of the admin interface. It won’t, however, check if the user is logged in or have administrative privileges.

WordPress Plugin Blog DesignerPlugin option that takes XSS payload is `custom_css` and Its value can be manipulated through `wp_blog_designer_save_settings` function.

Which is then later printed out from the designer_css.php file. Since there is no sanitizing function in place, exploiting this vulnerability is fairly simple. 

WordPress Plugin Blog Designer

Proof of Concept

Since the vulnerable function is being loaded on every page that is part of the administrator interface, simply sending a POST request to /wp-admin/admin-ajax.php?action=save&updated=true will trigger the plugin settings update function.


Timeline:

  • Apr 4, 2019. – Vulnerability reported to developers
  • Apr 4, 2019. – Developers replied: “Thank you for showing us bug. We will correct it on our plugin”
  • Apr 29, 2019. – Vulnerability reported to WordPress due to a lack of interest from plugin developers.
  • Apr 29, 2019. – Plugin got temporarily banned from WP repository
  • May 02, 2019. – The patched version is released and the plugin is available for download again

The vulnerability in the WordPress plugin Blog Designer affects plugin versions up to and 1.8.10. At the time of writing this article, a vulnerability has been patched in current version 1.8.12 and we encourage all users to update the mentioned plugin or to activate WebARX firewall.

Are you safe from plugin vulnerabilities?

Scan Your Site Here

WebARX web application firewall (WAF) is already protecting from this vulnerability and WebARX users are safe.

Wordpress security

suggested articles

Free 14-day trial

Protect your websites from malicious traffic - No credit card required.

Try it free
WebARX is compatible with the following platforms:
PHP
WordPress
Magento
Drupal
Joomla