WP-Piwik plugin : stored XSS vulnerability

PUBLISHED ON MAR 5, 2016 — SECURITY

This post come from my old blog wrote in December.

I have a Piwik plugin on my WordPress blog to check the traffic and know where my visitors come from and I discovered a vulnerability by “accident”.

I use quotation marks because I tried to check XSS vulnerabilities on the Apex WordPress theme. So, search bars, comments, every inputs were checked and I found one reflected XSS on the search bar. Not really critical but a bit dangerous. After a little pull request to correct the vulnerability on the Github repo of the theme, I thought my job was done and that my blog was now protected.

I was wrong !

Happy with my discovery, I checked my analysis reports from Piwik through the dedicated WordPress plugin. I got some awesome popups like these ones :

XSS alert

I thought : “… WHAT ?!”.

After few minutes of research, I discovered that these popups were created by expressions searched to check existence of reflected XSS.

To be clear, search entries were displayed without any protection. The source code of the vulnerable part :

Piwik Wordpress Plugin's code

I must say that having a theme which filter that doesn’t protect you against these attacks. I want to be clear, XSS can be very dangerous but it’s easy to protect yourself against these attacks ! Just use PHP functions htmlentities() or htmlspecialchars().

After the discovery, I communicate this vulnerability to the main developer of the WP-Piwik plugin and the patch was added in the version 1.0.5.