WordPress Plugin Vulnerabilities
AddToAny Share Buttons <= 1.7.14 - Conditional Host Header Injection
Description
Plugin description: "AddToAny is the universal sharing platform, and AddToAny’s plugin is the most popular share plugin for WordPress, making sites social media ready since 2006."
Active installs (according to https://wordpress.org/plugins/add-to-any/): 400,000+ (checked on 15. Aug 2017)
It's possible to inject a custom Host-Header, that will be used for building the link, which is going to be shared on Social Media platforms when users click the buttons. Combined with a web cache poisoning, every user would share the malicious website.
README.txt:179-192
To share the current URL and title (detected on the client-side):
`<?php if ( function_exists( 'ADDTOANY_SHARE_SAVE_KIT' ) ) {
ADDTOANY_SHARE_SAVE_KIT( array( 'use_current_page' => true ) );
} ?>`
To hardcode the shared current URL and modify the title (server-side):
`<?php if ( function_exists( 'ADDTOANY_SHARE_SAVE_KIT' ) ) {
ADDTOANY_SHARE_SAVE_KIT( array(
'linkname' => is_home() ? get_bloginfo( 'description' ) : wp_title( '', false ),
'linkurl' => esc_url_raw( ( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] ),
) );
} ?>`
Both versions will use the malicious Host-Header as the domain.
Following code is part of the function A2A_SHARE_SAVE_link_vars( $linkname = false, $linkurl = false, $linkmedia = false, $use_current_page = false ).
add-to-any.php:72-81
// Set linkurl
if ( ! $linkurl ) {
if ( $use_current_page ) {
$linkurl = esc_url_raw ( ( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
} elseif ( isset( $post ) ) {
$linkurl = get_permalink( $post->ID );
} else {
$linkurl = '';
}
}
add-to-any.php:83
$linkurl_enc = rawurlencode( $linkurl );
add-to-any.php:88
return compact( 'linkname', 'linkname_enc', 'linkurl', 'linkurl_enc', 'linkmedia', 'linkmedia_enc' );
Following code is part of the function function ADDTOANY_SHARE_SAVE_KIT( $args = array() ).
add-to-any.php:100
$args = array_merge( $args, A2A_SHARE_SAVE_link_vars( $linkname, $linkurl, $linkmedia, $use_current_page ) ); // linkname_enc, etc.
add-to-any.php:108
extract( $args );
add-to-any.php:173
$kit_html = ADDTOANY_SHARE_SAVE_ICONS( $args );
Following code is part of the function ADDTOANY_SHARE_SAVE_ICONS( $args = array() ).
add-to-any.php:200
$args = array_merge( $args, A2A_SHARE_SAVE_link_vars( $linkname, $linkurl, $linkmedia ) ); // linkname_enc, etc.
add-to-any.php:221
extract( $args );
add-to-any.php:339
$url = isset( $href ) ? $href : 'https://www.addtoany.com/add_to/' . $safe_name . '?linkurl=' . $linkurl_enc .'&linkname=' . $linkname_enc;
Impact:
If the attacker would manage to poison the website cache, he could make the users share his website for fun and profit, include a malicious code on his website and get traffic on it through this or clone the website he is attacking with a squatted domain in order to log the login credentials of users, which don't notice it's not the real website.
Timeline:
16. Aug 2017 1:09 AM MESZ - Vendor contacted
16. Aug 2017 3:20 AM MESZ - Vendor answered and fixed it (Version 1.7.15)
Affects Plugins
Fixed in 1.7.15 
WPScan 