WordPress plugin with over 10,000 installations contains a critical unpatched vulnerability. The vulnerability was discovered by Melbin Mathew yesterday and it deserves the attention of those who have installed this plugin on their WordPress sites.
The plugin has XSS(Cross-site Scripting) vulnerability that can easily be exploited by a hacker. Here is how it works.
Colorbox Lightbox plugin allows site admins to implement functionlity in site to allow users to see content in popup. The way it works is anyone writing a post can use the following shortcode with the media URL and hyperlink –
[wp_colorbox_media url="http://www.youtube.com/embed/nmp3Ra3Yj24" type="youtube" hyperlink="Click here"]
[wp_colorbox_media url="http://www.youtube.com/embed/nmp3Ra3Yj24" type="youtube" hyperlink="Click here <script>alert('XSS from hyperlink param')</script>"]
As you can see in the above image, the script provided in the hyperlink parameter executed in web browser.
But for a better chance of making an admin hit it is by writing a post and make him review it. That way, when a logged-in user reviews a post, his/her site cookies can be sent silently to the hacker and then hacker can log in as an admin.
No patch released yet
So far the vulnerability is working on the latest version of plugin. All the 10,000+ websites that have installed this plugin are under huge risk of exposing their sites to hackers.
I also tested this vulnerability with WordFence free firewall, unfortunately the WordFence free version does not protect the site from exploiting this vulnerability. The way WordFence free version works is that they provide security patches to free users after 30 days of discovery. So may be they have provided the patch but that’s not yet available for free users.