LOG HTTP REQUESTS — VERSION 1.3.1— SUMMARY
The following document describes identified vulnerabilities in the Log HTTP Requests application version 1.3.1.
Log HTTP Requests is a WordPress plugin that logs all WP_HTTP requests and displays them in a table listing for easy viewing. It also stores the runtime of each HTTP request. The project’s official website is https://wordpress.org/plugins/log-http-requests. The latest version of the application is 1.3.2, released on August 16, 2022.
One vulnerability was identified within the Log HTTP Requests plugin:
- Stored Cross-Site Scripting (XSS)
The vulnerability is described in the following sections.
All versions prior to and including 1.3.1
Summary of Findings
The Log HTTP Requests plugin for WordPress is vulnerable to stored cross-site scripting (XSS) via logged HTTP requests in versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping.
The Log HTTP Requests WordPress plugin is affected by a stored XSS vulnerability that allows an attacker to gain unauthorized access to the WordPress Administrator account and carry out any action the admin was originally permitted to perform. It makes it possible for unauthenticated attackers who can trick a site’s administrator into performing an action like clicking on a link, or an authenticated user with access to a page that sends a request using user-supplied data via the server, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Update to version 1.3.2
CVE ID: CVE-2022-3402
Vulnerability Type: Stored Cross-Site Scripting (XSS)
Access Vector: ☒ Remote, ☐ Local, ☐ Physical, ☐ Context dependent, ☐ Other (if other, please specify)
Impact: ☒ Code execution, ☐ Denial of service, ☒ Escalation of privileges, ☐ Information disclosure, ☐ Other (if other, please specify)
Security Risk: ☐ Critical, ☐ High, ☒ Medium, ☐ Low
The Log HTTP Requests WordPress plugin is affected by a stored cross-site scripting (XSS) vulnerability that allows an attacker to gain unauthorized access to the WordPress Administrator account and carry out any action the admin was originally permitted to perform.
First, an administrator navigated to the search results of a malicious plugin installation interface URL with the following payload as search term:
After the interface loaded, the payload was visible in the search bar, as shown below:
Figure 1 - Payload reflected in response without executing
Then, the user navigated to the Log HTTP Request interface located at:
Figure 2 - Payload executed in Log HTTP Request interface
Figure 3 – Unescaped URL property being inserted into the DOM
- Etan Imanol Castro Aldrete, Consultant II, Bishop Fox ([email protected])
- 08/01/2022: Initial discovery
- 08/15/2022: Contact with vendor
- 08/16/2022: Vendor acknowledged vulnerabilities
- 08/16/2022: Vendor released patched version 1.3.2
- 10/05/2022: Vulnerability publicly disclosed
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.