A stored cross-site scripting vulnerability exists in versions <= 1.4.11 of the WordPress Plugin Simple Fields. A specially crafted POST request can be made that injects scripts into the functionality of new WordPress Posts and Pages function as well as Simple Fields administrative settings. This occurs because the user-provided input does not go through any filtering/sanitization and the function that allows the admin-post does not authenticate the user. The plugin is currently removed from the WordPress download page.
- An attacker makes a POST request to a specific method in the program that decodes a JSON payload and sets variables that will later be manifested in the DOM.
- The attacker will receive a 302 Found and no error messages, and the payload is now stored in the WordPress instance Options.
The attacker must be able to send crafted packets to the target system.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
The Options table must be cleaned even after the plugin is uninstalled to ensure no further versions will pull the same information. Ensure that all software on internet-facing hosts is up-to-date.