Intro: Why Clickjacking matters

Clickjacking is a vulnerability that is often underestimated, despite Clickjacking potentially affecting the confidentiality, integrity, and availability of the application to a high degree.

The impact of a successful attack can be privilege escalation (eg changing permissions from regular user to full admin), weakening of security mechanisms (eg disabling 2FA), deletion of data, or making data publicly accessible.

I have previously shown that it is even possible to control text input via Clickjacking (at least in Firefox), giving Clickjacking (almost) the full power of CSRF.

But compared to CSRF, Clickjacking requires more user interaction than simply visiting an attacker-controlled page. For simple one-click attacks such as like-stealing, this is negligible, but for multi-click attacks (eg checking the “is admin” box, followed by a click on “save”), this seems to prevent real-world exploitation. Who is going to click 5 times in exactly the right position? Nobody.

But users click on webpages all the time! If we can intercept and redirect these clicks to where they are needed, multi-click attacks suddenly become much more realistic.

With advanced Clickjacking techniques such as automatically tracking the mouse cursor and directing the click exactly where it’s needed, it is possible to exploit multi-click Clickjacking vulnerabilities in the wild. The user simply has to click somewhere - anywhere - a couple of times.

After seeing this advisory about an issue that should really have been caught by a cursory source code check, I wanted to see if there are any other low-handing fruits in WordPress plugins. Instead of my normal process of a mixture of black box testing and proper source code analysis, I decided to download a large number of WordPress plugins and run a couple of grep searches against them, without any deeper analysis.

• Vulnerability: Unauthenticated Persistent XSS, Blind SQL Injection, Misc
• Affected Software: Forminator (10,000+ active installations)
• Affected Version: 1.5.4
• Patched Version: 1.6
• CVE: CVE-2019-9567 (XSS) / CVE-2019-9568 (SQL Injection)
• Risk: High
• Vendor Contacted: 11/25/2018
• Vendor Fix: 12/10/2018
• Public Disclosure: 02/05/2019

• Vulnerability: XSS & CSRF
• Affected Software: Contact Form Email (30,000+ active installations)
• Affected Version: 1.2.65
• Patched Version: 1.2.66
• CVE: CVE-2019-9646 (XSS)
• Risk: Medium
• Vendor Contacted: 10/31/2018
• Vendor Fix: 10/31/2018
• Public Disclosure: 02/05/2019

• Vulnerability: XSS
• Affected Software: Quiz And Survey Master (20,000+ active installations)
• Affected Version: 6.0.4
• Patched Version: none
• CVE: CVE-2019-9575
• Risk: Medium
• Vendor Contacted: 10/25/2018
• Vendor Fix: none
• Public Disclosure: 02/05/2019

• Vulnerability: XSS
• Affected Software: Give (50,000+ active installations)
• Affected Version: 2.3.0
• Patched Version: 2.3.1
• Risk: Medium
• Vendor Contacted: 11/24/2018
• Vendor Fix: 12/13/2018
• Public Disclosure: 02/05/2019

• Vulnerability: XSS
• Affected Software: WP Live Chat Support (60,000+ active installations)
• Affected Version: 8.0.17
• Patched Version: 8.0.18
• Risk: Medium
• Vendor Contacted: 10/31/2018
• Vendor Fix: 11/01/2018
• Public Disclosure: 02/05/2019

• Vulnerability: XSS
• Affected Software: wpGoogleMaps (400,000+ active installations)
• Affected Version: 7.10.41
• Patched Version: 7.10.43
• Risk: Medium
• Vendor Contacted: 10/25/2018
• Vendor Fix: 10/31/2018
• Public Disclosure: 02/05/2019

• Vulnerability: XSS
• Affected Software: YOP Poll (20,000+ active installations)
• Affected Version: 6.0.2
• Patched Version: 6.0.3
• Risk: Medium
• Vendor Contacted: 10/25/2018
• Vendor Fix: 11/26/2018
• Public Disclosure: 02/05/2019

• Vulnerability: XSS
• Affected Software: Blog2Social (30,000+ active installations)
• Affected Version: 5.0.2
• Patched Version: 5.0.3
• CVE: CVE-2019-9576
• Risk: Medium
• Vendor Contacted: 10/25/2018
• Vendor Fix: 11/13/2018
• Public Disclosure: 02/05/2019