W3 Total Cache Plugin For WordPress Cache Key XSS

2015-01-1500:00:00

www.tenable.com

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

7.1

Confidence

Low

EPSS

0.002

Percentile

64.9%

JSON

The version of the W3 Total Cache plugin for WordPress hosted on the remote web server fails to properly sanitize user-supplied input to the ‘Cache key’ in the HTML comments displayed when ‘Page cache debug info’ is enabled. An attacker can exploit this to execute arbitrary script code within the context of the user’s browser.

Note that this plugin for WordPress is also reportedly affected by multiple cross-site request forgery (XSRF) vulnerabilities; however, Nessus has not tested for these.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(80553);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/04");

  script_cve_id("CVE-2014-8724");
  script_bugtraq_id(71665);

  script_name(english:"W3 Total Cache Plugin For WordPress Cache Key XSS");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a PHP script that is affected by a
cross-site scripting vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of the W3 Total Cache plugin for WordPress hosted on the
remote web server fails to properly sanitize user-supplied input to
the 'Cache key' in the HTML comments displayed when 'Page cache debug
info' is enabled. An attacker can exploit this to execute arbitrary
script code within the context of the user's browser.

Note that this plugin for WordPress is also reportedly affected by
multiple cross-site request forgery (XSRF) vulnerabilities; however,
Nessus has not tested for these.");
  script_set_attribute(attribute:"see_also", value:"https://www.secuvera.de/advisories/secuvera-SA-2014-01.txt");
  script_set_attribute(attribute:"see_also", value:"https://wordpress.org/plugins/w3-total-cache/#changelog");
  script_set_attribute(attribute:"solution", value:
"Upgrade to version 0.9.4.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/12/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/12/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/15");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:w3edge:total_cache");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses : XSS");

  script_copyright(english:"This script is Copyright (C) 2015-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("wordpress_detect.nasl", "wordpress_w3_total_cache_info_disclosure.nasl");
  script_require_keys("installed_sw/WordPress", "www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

app = "WordPress";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(app_name:app, port:port);

dir = install['path'];
install_url = build_url(port:port, qs:dir);

plugin = "W3 Total Cache";

# Check KB first
installed = get_kb_item("www/"+port+"/webapp_ext/"+plugin+" under "+dir);

if (!installed) audit(AUDIT_WEB_APP_EXT_NOT_INST, app, install_url, plugin + " plugin");

xss_test = '--><script>alert(' + unixtime() + ');</script>';
escape_xss = ereg_replace(string:xss_test, pattern:"\(", replace:"\(");
escape_xss = ereg_replace(string:escape_xss, pattern:"\)", replace:"\)");

url = "/" + xss_test;

res = http_send_recv3(
  method : "GET",
  port   : port,
  item   : dir + url,
  fetch404     : TRUE,
  exit_on_fail : TRUE
);
pat = "Cache key:(\s)+.*" + escape_xss;

if (ereg(pattern:pat, string:res[2], multiline:TRUE))
{
  output = strstr(res[2], "<!-- W3 Total Cache:");
  if (empty_or_null(output))
  {
    output = extract_pattern_from_resp(
      string  : res[2],
      pattern : 'RE:' + pat
    );
  }
  security_report_v4(
    port       : port,
    severity   : SECURITY_WARNING,
    generic    : TRUE,
    xss        : TRUE,
    request    : make_list(install_url + url),
    output     : chomp(output)
  );
}
else
  audit(AUDIT_WEB_APP_EXT_NOT_AFFECTED, app, install_url, plugin + " plugin");