May 1, 2019 by Luka Šikić
Earlier this month, unauthenticated cross-site scripting vulnerability was found in the popular WordPress plugin Blog Designer that counts more than 30,000 active installations.
As you can assume from the plugin name, it allows you to change the style of your WordPress website. The vulnerable component of the plugin is in the function that is in charge of updating plugin settings.
Unfortunately, the mentioned component doesn’t check if the user is logged in or have the privilege to update plugin settings. Another problem is that developers, once again rely on ‘admin_init’ event which fires on every page that is part of the admin interface. It won’t, however, check if the user is logged in or have administrative privileges.
Which is then later printed out from the designer_css.php file. Since there is no sanitizing function in place, exploiting this vulnerability is fairly simple.
Since the vulnerable function is being loaded on every page that is part of the administrator interface, simply sending a POST request to /wp-admin/admin-ajax.php?action=save&updated=true will trigger the plugin settings update function.
The vulnerability in the WordPress plugin Blog Designer affects plugin versions up to and 1.8.10. At the time of writing this article, a vulnerability has been patched in current version 1.8.12 and we encourage all users to update the mentioned plugin or to activate WebARX firewall.
WebARX web application firewall (WAF) is already protecting from this vulnerability and WebARX users are safe.