Softpedia >News >Security >Security Fixes and Improvements
Softpedia Homepage   

Stored XSS Bug Affects All bbPress WordPress Forum Versions

Attackers can gain control of the website by stealing cookies and impersonating admins or moderators

May 3, 2016 21:56 GMT  ·  By
A bbPress forum
   A bbPress forum

Yesterday, Automattic released bbPress 2.5.9, the latest version of the official WordPress forum plugin, which fixed a dangerous stored XSS (cross-site scripting) vulnerability that affected all existing bbPress versions.

According to statistics from WordPress.org, the plugin is currently live on over 300,000 websites.

The bug is a stored XSS flaw, the most dangerous version of the two XSS issues known today (reflected and stored). In stored XSS vulnerabilities, a malicious attacker can insert code in a Web platform, which gets "stored" in its database or backend and then is displayed to all subsequent visitors that access the affected page.

XSS bug was in the forum plugin's user mentions feature

In this particular case, security researchers from Sucuri say they discovered a method through which an attacker could use the bbPress user mention (@username) system to store malicious code inside forum posts.

These posts would be saved to the database and then listed for users viewing the respective thread. If the attacker had the necessary skills, they could craft malicious code that would allow them to steal cookies from moderators or forum admins and impersonate them on the underlying WordPress backend, accessing it with elevated privileges.

According to Sucuri's Marc-Alexandre Montpas, an attacker could insert a link inside the forum post, but instead of the link's source (the href attribute), they could place a user mention like this:

code
< a href="@test">link< / a>
#trasnformed to:
< a href="< a href="http://bbpressforum.com/test/profile/" rel="nofollow">test< / a>">link< / a>
bbPress' user mentions system would replace the @username with another link, creating a link-in-link HTML structure.

As you can observe, the normal double-quote sequence is broken, and attackers could use this opportunity to insert malicious code inside the link, which would then get stored in the forum's database and executed later on against other users.

Sucuri reported the issue to bbPress' maintainers on April 12. bbPress 2.5.9 was released yesterday and addressed this issue.

Users should update immediately, or if they can't upgrade, they should deploy a Web firewall that can catch exploits against this vulnerability. Since Sucuri discovered the issue, you can start with their WAF product, or wait for your provider to update his.