wp-plugin : keyring

Plugin Details
Plugin Name: wp-plugin : keyring
Effected Version : 1.5 (and most probably lower version's if any)
Vulnerability : Cross-Site Scripting (XSS)
Identified by : anantshri
WPScan Reference URL

Technical Details
Minimum Level of Access Required : Unauthenticated
PoC - (Proof of Concept) :
http://localhost/wp-content/plugins/keyring/includes/oauth-php/example/index.php?sig_method=<script>alert(document.cookie)</script>

 

Vulnerable Parameter : sig_method

 

Type of XSS : Reflected

 

Fixed in : 1.5.1

 

Trac Changelog : https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=834526%40keyring&old=804079%40keyring&sfp_email=&sfph_mail=

 

This specific vulnerability is indeed a flaw in oauth sdk php sample code, multiple wordpress plugin were leveraging this same code and hence a parallel disclosure was made: The entry on OSVDB for the same is listed here : http://osvdb.org/show/osvdb/101897


Disclosure Timeline
Vendor Contacted : 2014-01-05
Plugin Status : Updated on 2014-01-07
Public Disclosure : July 7, 2014
CVE Number :
Plugin Description :
[| See the [Keyring Developer's Guide](http://dentedreality.com.au/projects/wp-keyring/) for more details. Keyring provides a very hookable, completely customizable framework for connecting your WordPress to an external service. It takes care of all the heavy lifting when making authenticated requests, so all you need to do is implement cool features and not worry about these tricky bits. Out of the box, Keyring currently comes with base Service definitions for webservices which use: * HTTP Basic * OAuth1 * OAuth2 And includes an example service implementation (services/extended/example.php) plus ready-to-use definitions for: * [Delicious](http://delicious.com/) * [Facebook](http://facebook.com/) * [Flickr](http://flickr.com/) * [Foursquare](http://foursquare.com/) * [Google Contacts](http://google.com/) * [Instagram](http://instagram.com/) * [Instapaper](http://instapaper.com/) * [LinkedIn](http://linkedin.com/) * [Moves](http://moves-app.com/) * [RunKeeper](http://runkeeper.com/) * [TripIt](http://tripit.com/) * [Tumblr](http://tumblr.com/) * [Twitter](http://twitter.com/) * [Yahoo! Updates](http://yahoo.com/) You can very easily write your own Service definitions and then use all the power of Keyring to hook into that authentication flow. See the [Keyring Developer's Guide](http://dentedreality.com.au/projects/wp-keyring/) for more details. ]