Stored XSS Vulnerability in Google Analytics by Yoast Wordpress Plugin

Posted On // 2 comments

Stored XSS Vulnerability in Google Analytics by Yoast Wordpress Plugin

.. contents:: Table Of Content

Overview

  • Title :Stored XSS Vulnerability in Google Analytics by Yoast Wordpress Plugin
  • Author: Kaustubh G. Padwad, Rohit Kumar.
  • Plugin Homepage: https://yoast.com/wordpress/plugins/google-analytics/
  • Severity: Medium
  • Version Affected: Version 5.3.2 and mostly prior to it
  • Version Tested : Version 5.3.2
  • version patched:

Description

Vulnerable Parameter

  • Current UA-Profile
  • Manually enter your UA code
  • Label for those links
  • Set path for internal links to track as outbound links:
  • Subdomain tracking:
  • Extensions of files to track as downloads:

About Vulnerability

This plugin is vulnerable to a Stored Cross Site Scripting vulnerability,This issue was exploited when administrator users with access to "Google Analytics by Yoast" Setting in wordpress above listed vulnerable parameter is vulnerable for stored XSS. A malicious administration can hijack other users session, take control of another administrator's browser or install malware on their computer.

Vulnerability Class

Steps to Reproduce: (POC)

After installing the plugin
  • Goto settings --> Google Analytics by Yoast
  • Input this payload in "Manually enter your UA code" :- v style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x
  • Click on the Save Changes button and navigate your cursor to input box,you will see XSS in action
  • Reload the page or re navigate to page to make sure its stored ;)
POC
POC

Mitigation

Change Log

Disclosure

22-February-2015 Reported to developer
25-February-2015 Fixed by developer
05-March-2015 Issue Closed with team.
06-March-2015 Public Discloser

credits