Re: CVE request / Advisory: Floating Social Bar (Wordpress plugin) 1.0.1 - 1.1.6

[Matthew Daley <mattd () bugfuzz com>]

On 13 April 2015 at 18:25,  <cve-assign () mitre org> wrote:
> > I'd like to request a CVE ID for this issue. This is the first such
> > request; this message serves as an advisory as well.
> >
> > Affected software: Floating Social Bar (Wordpress plugin)
> > Affected versions: 1.0.1 - 1.1.6
> > Website: https://wordpress.org/plugins/floating-social-bar/
> >
> > Description: One of the plugin's unauthenticated AJAX action handlers
> > is vulnerable to a stored cross-site scripting vulnerability. By
> > invoking the action with certain parameters, it is possible for
> > unauthenticated attackers to force the persistent injection of
> > arbitrary script across the site's post pages.
> >
> > Fixed version: 1.1.7
> > Fix: https://plugins.trac.wordpress.org/changeset/1129648/floating-social-bar/trunk
> > Changelog: https://plugins.trac.wordpress.org/changeset/1129648/floating-social-bar/trunk#file5
>
> Use CVE-2015-3299 for the specific issue in your "Description" section
> above. It seems conceivable that 1129648 also fixed something else,
> e.g.,
>
>   1. Maybe the
>      "-     add_action( 'wp_ajax_nopriv_fsb_save_order', array( $this, 'save_order' ) );"
>
>      code change means that wp_ajax_nopriv_fsb_save_order allowed
>      bypassing intended access control, even if the attacker did not
>      supply an XSS payload.

Yes. It wasn't intended for non-administrators to be able to adjust
the services by executing the action.

>   2. Maybe the patched code can help to prevent a CSRF attack against
>      an authenticated action handler.

Again, yes. Administrators could be forced to execute the action with
an attacker's parameters via a CSRF attack. Nonces have been added to
stop this.

> If so, then additional CVE IDs would be needed.