0xB9's Vulnerability Follow-Ups

Vulnerabilities & other security nonsense!

Broken Access Allows Users to Change Policy Banner For Easy Cookie Policy WordPress Plugin <= 1.6.2

Mar 26 2022
VulnerabilitiesWordPress

I came across a Broken Access Control vulnerability in the Easy Cookie Policy plugin for WordPress on February 27th, 2021. This affects all versions of the plugin, and unfortunately, there is no fix available for the plugin which has since been removed from the WordPress plugin repository.

About The Plugin

The Easy Cookie Policy plugin allowed admins to create a cookie policy page and displayed a cookie policy banner on the website for visitors to accept.
easy-cookie-banner
Due to GDPR and CCPA laws, it seems almost every website has a cookie banner for you to accept now.

Broken Access Control

While I was playing around with this plugin I noticed that the settings were updated via an admin-ajax request. After seeing this, I took a closer look at the request and saw there was no nonce included with this request.easy-cookie-request
Once I noticed that I decided to swap out my administrator role cookies with subscriber role cookies to see what would happen… {"status":"OK","text":"Configuration data updated","url":"http:\/\/localhost\/wp","cookie":"easy_cookies_policy_warning"}
And success! So that’s cool, any authenticated user can update the settings of the plugin… But I always like to try and take things a step further.

Broken Access Control To Stored XSS

Since the settings for this plugin are pretty basic, there isn’t too much else we can really do here. The plugin doesn’t even make any database calls. That being said, there is a big textarea box for the banner message. With that I did the obvious and input a basic Cross-Site Scripting payload (<script>alert(1)</script>) to see how it would react to the input and easily enough… easy-cookie-xss

Boom XSS! No sanitization here at all! Now we can combine this stored cross-site scripting with the broken access. This means any authenticated user can update the banner message to a JavaScript payload that executes on every page of the website. Another thing to point out is if you look at the screenshot of the request again, you can see the expires=365 parameter. You can set this to 1 to reset the cookie banner. That way if a user already accepted the cookies before you added a payload, it will expire in 1 day so they will need to accept the banner again. This time with the payload though!

Timeline
  • February 27th, 2021: Vulnerability discovered.
  • February 28th, 2021: Contacted developer about vulnerability.
  • March 1st, 2021: Developers responded, wanted proof of concept.
  • March 1st, 2021: Sent proof of concept.
  • March 1st, 2021: Developers thanked, then mentioned the owner no longer works at the company.
  • March 25th, 2021: Asked for an update of the status, no response.
  • April 27th, 2021: Contacted WordPress Plugin Team about the security issue.
  • April 28th, 2021: Plugin was closed by WordPress Plugin Team.
References

https://wpscan.com/vulnerability/9157d6d2-4bda-4fcd-8192-363a63a51ff5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24405

If you enjoyed this post, check out my last post about a reflected Cross-Site Scripting vulnerability found in the admin panel of a plugin with over 100,000+ active installs!