Wordfence Threat Intelligence team discovered the XSS vulnerability in the popular plugin on August 19, 2021. The WordPress plugin is already installed on more than 100,000 websites, which means it is a very critical vulnerability for the WordPress community. Thanks to the Wordfence team the developers released a patched version of the plugin; 4.3.21 on October 4, 2021.
POST over GET method
The vulnerability is addressed as CVE-2021-38356 and lets the attacker carry out an attack by triggering the faulty function in the plugin. The nxs_ReposterListTable::column_title function in inc/nxs_class_snap.php echoes out the value of $_REQUEST[‘page’] when an administrator visits the plugin administration page at wp-admin/admin.php?admin.php?page=nxssnap-post.
function column_post_title($item){
//Build row actions
$actions = array(
'edit' => sprintf('Edit',$_REQUEST['page'],'edit',$item->ID),
'delete' => sprintf('Delete',$_REQUEST['page'],'delete',$item->ID),
);
//Return the title contents
return sprintf('%1$s (id:%2$s)%3$s',
/*$1%s*/ $item->post_title,
/*$2%s*/ $item->ID,
/*$3%s*/ $this->row_actions($actions)
);
}
WordPress uses the value of the $_GET[‘page’] parameter to determine which administrative pages the content is served to. It is a common practice for developers to use $_REQUEST for values stored in $_GET and/or $_POST, as the $_REQUEST superglobal contains all data set in both methods. For $_REQUEST[‘page’] is expected to be set to the same value as $_GET[‘page’] that leads to a reflected XSS attack because of the multiple global variables..
Most of the system administrators set the PHP configuration for $_POST to take precedence over $_GET when populating $_REQUEST. Simply put, if both methods – $_GET[‘page’] and $_POST[‘page’] are set, $_REQUEST[‘page’] is set to the contents of $_POST[‘page’] which means that is is possible to execute JavaScript in the browser of a logged-in-administrator by self-submitting form, which sent a POST request to the website.
Example: https://example.com/wp-admin/admin.php?page=nxssnap-post, with the $_POST[‘page’] parameter set to malicious JavaScript.
Possible to take over the website
The $_GET[‘page’] parameter can also be set to nxssnap-post, which lets WordPress route the victim to the correct page. After routing the victim, the malicious JavaScript in $_POST[‘page’] can be echoed out on the page.
Because the attacker has the administrative privilege, it is also possible to execute malicious JavaScript code running in the administrator session, which can lead to adding malicious administrative users or inserting backdoors into the website. At that point, it is very easy to take over the website! If you are one of the plugin users and the version of the plugin installed on your system is lower than 4.3.21 we highly recommend you update it urgently.
Note: At the time of writing this article, the current stable version was 4.3.23.
Download the latest version of NextScripts: Social Networks Auto-Poster plugin