Log HTTP Requests, Version 1.3.1, Advisory

By:
Gauge with medium severity reading for FlowscreenComponents Basepack, Version 3.0.7 Advisory. Mautic Version <=3.2.2 Advisory. eCatcher Desktop, Version 6.6.4 Advisory.

Share

LOG HTTP REQUESTS — VERSION 1.3.1— SUMMARY

The following document describes identified vulnerabilities in the Log HTTP Requests application version 1.3.1.

Product Vendor

FACETWP, LLC

Product Description

Log HTTP Requests is a WordPress plugin that logs all WP_HTTP requests and displays them in a table listing for easy viewing. It also stores the runtime of each HTTP request. The project’s official website is https://wordpress.org/plugins/log-http-requests. The latest version of the application is 1.3.2, released on August 16, 2022.

Vulnerabilities List

One vulnerability was identified within the Log HTTP Requests plugin:

  • Stored Cross-Site Scripting (XSS)

The vulnerability is described in the following sections.

Affected Version

All versions prior to and including 1.3.1

Summary of Findings

The Log HTTP Requests plugin for WordPress is vulnerable to stored cross-site scripting (XSS) via logged HTTP requests in versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping.

Impact

The Log HTTP Requests WordPress plugin is affected by a stored XSS vulnerability that allows an attacker to gain unauthorized access to the WordPress Administrator account and carry out any action the admin was originally permitted to perform. It makes it possible for unauthenticated attackers who can trick a site’s administrator into performing an action like clicking on a link, or an authenticated user with access to a page that sends a request using user-supplied data via the server, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Solution

Update to version 1.3.2


Vulnerabilities

Cross-Site Scripting

The cross-site scripting (XSS) vulnerability allows the execution of a JavaScript payload each time an administrator accesses the Log HTTP Requests plugin’s interface. The vulnerability could be used to push site’s administrator into performing an action that injects arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vulnerability Details

CVE ID: CVE-2022-3402

Vulnerability Type: Stored Cross-Site Scripting (XSS)

Access Vector: ☒ Remote, ☐ Local, ☐ Physical, ☐ Context dependent, ☐ Other (if other, please specify)

Impact: ☒ Code execution, ☐ Denial of service, ☒ Escalation of privileges, ☐ Information disclosure, ☐ Other (if other, please specify)

Security Risk: ☐ Critical, ☐ High, ☒ Medium, ☐ Low

Vulnerability: CWE-79

The Log HTTP Requests WordPress plugin is affected by a stored cross-site scripting (XSS) vulnerability that allows an attacker to gain unauthorized access to the WordPress Administrator account and carry out any action the admin was originally permitted to perform.

First, an administrator navigated to the search results of a malicious plugin installation interface URL with the following payload as search term:

http://localhost/wordpress1/wp-admin/plugin-install.php?s=<script>alert('bishopfox')</script>&tab=search&type=term

After the interface loaded, the payload was visible in the search bar, as shown below:

Visible payload in the search bar after an administrator navigated to the search results of a malicious plugin installation interface URL after a specific payload search term was entered.

Figure 1 - Payload reflected in response without executing

Then, the user navigated to the Log HTTP Request interface located at: 

http://localhost/wordpress1/wp-admin/tools.php?page=log-http-requests

When the page loaded, the JavaScript payload was executed:

JavaScript payload being executed after page load.

Figure 2 - Payload executed in Log HTTP Request interface

As shown above, the malicious JavaScript was executed successfully. Since the XSS vulnerability executed within the context of the admin’s session, an attacker could leverage this vulnerability to carry out any action that the admin user was originally permitted to perform.

The plugin contains the following unescaped JavaScript object property in the file assets/js/admin.js:24, which allows JavaScript code to be inserted into the DOM:

Unescaped URL property being inserted into the DOM

Figure 3 Unescaped URL property being inserted into the DOM

Credits

Timeline

  • 08/01/2022: Initial discovery
  • 08/15/2022: Contact with vendor
  • 08/16/2022: Vendor acknowledged vulnerabilities
  • 08/16/2022: Vendor released patched version 1.3.2
  • 10/05/2022: Vulnerability publicly disclosed

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

Etan Aldrete BF Headshot

About the author, Etan Castro Aldrete

Consultant II

Etan Castro Aldrete is a Mexico-based Consultant II at Bishop Fox. Before joining Bishop Fox, Etan worked on different types of hybrid web applications as a backend developer. Etan is credited with public disclosure of CVE-2022-3402, a stored cross-site scripting vulnerability within Log HTTP Requests, a WordPress plugin. He currently holds five security certifications including Offensive Security Web Expert (OSWE), Offensive Security Certified Professional (OSCP), CompTIA Network Vulnerability Assessment Professional - CNVP Stackable Certification, CompTIA PenTes+ ce Certification, and CompTIA Security+ ce Certification. When he is not looking for vulnerabilities, he is searching for ancient coins with a metal detector.

More by Etan

Recommended Posts

You might be interested in these related posts.

Nov 01, 2024

A Brief Look at FortiJump (FortiManager CVE-2024-47575)

Jul 02, 2024

Traeger Grill D2 Wi-Fi Controller, Version 2.02.04

Jun 17, 2024

ExpressionEngine, Version 7.3.15

May 06, 2024

OOB Memory Read: Netscaler ADC and Gateway

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.