Home » Vulnerabilities

“URL Cloak & Encrypt” wordpress plugin XSS vulnerability

2 July 2012 No Comment

The “URL Cloak & Encrypt” wordpress plugin is vulnerable to cross site scripting.

Vulnerable code:

if(strpos($url,’http://’)===false&&strpos($url,’https://’)===false) $url = base64_decode($url);

POC:

http://{SITE_URL}/wp-content/plugins/url-cloak-encrypt/url.php?id=Ij48c2NyaXB0PmFsZXJ0KCdYU1MnKTwvc2NyaXB0PjwhLS0=

(base64 encoded value of “><script>alert(‘XSS’)</script><!–)

How to fix:

Edit this

echo ‘<meta http-equiv=”refresh” content=”‘.(html_entity_decode($wp_letsfxurl_arr[‘red’])).’;url=http://j.letsw.com/?’.$url.'”>’;
$aurl = “<a href=\”http://j.letsw.com/?$url\” style=\”text-align:center;\” rel=\”nofollow\”>$url</a><br>”;

To

echo ‘<meta http-equiv=”refresh” content=”‘.(html_entity_decode($wp_letsfxurl_arr[‘red’])).’;url=http://j.letsw.com/?’.str_replace(‘”‘,”,strip_tags($url)).'”>’;
$aurl = “<a href=\”http://j.letsw.com/?”.str_replace(‘”‘,”,strip_tags($url)).”\” style=\”text-align:center;\” rel=\”nofollow\”>$url</a><br>”;

Advice:
Remove that plugin, it’s not only bad for your SEO but it’s also full of hidden iframes and redirect to the author site (or affiliated with him).
Plus the URL is predictable, doesn’t really “cloak” the url it just obfuscate it which is useless.

Your opinion matters!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.