Coming Soon Page, Under Construction & Maintenance Mode by SeedProd plugin for WordPress version 5.1.0 and below were found to be vulnerable to stored XSS while I was auditing the plugin. Plugin version 5.1.2 with improved data sanitization was released on June 24, 2020.
CVE ID: CVE-2020-15038
Coming Soon Page, Under Construction & Maintenance Mode by SeedProd is a popular WordPress Plugin with over 1 million active installations. It was found to be vulnerable to stored Cross-Site Scripting (XSS) vulnerability. XSS is a type of vulnerability that can be exploited by attackers to perform various malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions on the victim’s behalf, logging their keystrokes and more.
While there are multiple ways in which an attacker can perform malicious actions exploiting this vulnerability, let’s take a look at two.
If an attacker were to exploit the vulnerability, they would be able to use an XSS payload to cause redirection such that any time the developer enables maintenance mode, a user visiting the site would be redirected to a domain under the attacker’s control, which could be made to look exactly like the original website with a login form for the user to submit their credentials. If the user submits their credentials without noticing the changed domain, their account gets compromised.
Similarly, an attacker can also use a payload to create a login form on the Coming Soon/Maintenance Mode page itself, trying to bait unsuspecting users into entering their credentials.
The Headline field under the Page Settings section along with other fields in the plugin settings were found to be vulnerable to stored XSS, which gets triggered when the Coming Soon page is displayed (both in preview mode and live).
POST /wp-admin/options.php HTTP/1.1 Host: localhost:10004 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost:10004/wp-admin/admin.php?page=seed_csp4 Content-Type: application/x-www-form-urlencoded Content-Length: 636 Origin: http://localhost:10004 Connection: close Cookie: ... option_page=seed_csp4_settings_content&action=update&_wpnonce=faced0b8ff&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dseed_csp4&seed_csp4_settings_content%5Bstatus%5D=1&seed_csp4_settings_content%5Blogo%5D=&seed_csp4_settings_content%5Bheadline%5D=%3Cscript%3Ealert%28%22Stored+XSS+in+Page+Headline%22%29%3C%2Fscript%3E&seed_csp4_settings_content%5Bdescription%5D=Proof+of+Concept&seed_csp4_settings_content%5Bfooter_credit%5D=0&submit=Save+All+Changes&seed_csp4_settings_content%5Bfavicon%5D=&seed_csp4_settings_content%5Bseo_title%5D=&seed_csp4_settings_content%5Bseo_description%5D=&seed_csp4_settings_content%5Bga_analytics%5D=
Vulnerability reported to the SeedProd team on June 22, 2020.
Version 5.1.2 containing the fix to the vulnerability was released on June 24, 2020.
It is highly recommended to update the plugin to the latest version.
For best security practices, you can follow the below guides: