In the monitoring we do to keep track of vulnerabilities in WordPress plugins for this service one thing we have noticed is that developers are not always providing full or consistent information on new version of plugins. For version 1.3.1 of the plugin CF7 Invisible reCAPTCHA the changelog entry is “Minor bug fix: Resolved the caching issue.”. The development log entry for that version indicates something different, “Security Update in Cf7 Invisible reCAPTCHA”. In looking over the new version to see if there was a vulnerability being fixed in that version what we saw was there was a significant amount of changes that were made, which seems out of line with the changelog entry description of the change being made.

Due to the amount of changes it makes it a bit hard to figure out if there was a vulnerability fixed and we didn’t find something in our look over it. But we did see a reflected cross-site scripting (XSS) vulnerability that was introduced in that version.

At the beginning of the function that generates the plugin’s admin page, vsz_cf7_invisible_recaptcha_page(), which is located in the file /cf7-Invisible-recaptcha.php, the new version added code to set the value of the GET input “tab” to the variable $tab without sanitizing or validating it:

54
55

function vsz_cf7_invisible_recaptcha_page(){
	$tab = isset($_GET["tab"]) ? $_GET["tab"] : "settings";

Further into the function the value is output without being escaped, which would permit reflected cross-site scripting (XSS) to occur:

277

jQuery("#<?php echo $tab; ?>").show();

We have yet to hear back from the developer since we notified them of the issue, but yesterday they released version 1.3.2, which fixes the vulnerability by sanitizing the input when setting it to the value of $tab:

55

$tab = isset($_GET["tab"]) ? sanitize_text_field($_GET["tab"]) : "settings";

And escaping it when being output:

277

jQuery("#<?php echo esc_attr($tab); ?>").show();

After running across this vulnerability we updated our Plugin Security Checker (which is now accessible through a WordPress plugin of its own) to detect vulnerabilities using code similar to this one.

Proof of Concept

The following proof of concept will cause any available cookies to be shown in alert box, when logged in as an Administrator. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin.php?page=cf7-Invisible-recaptcha&tab=</script><script>alert(document.cookie);</script>

Timeline

• May 14, 2018 – Developer notified.
• May 16, 2018 – Version 1.3.2 released, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?