iRobots.txt SEO <= 1.1.2 - Reflected Cross-Site Scripting
Description
The iRobots.txt SEO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NTechnical Details
<=1.1.2Since the source code for **iRobots.txt SEO** version 1.1.2 is not provided, this plan is based on the vulnerability description, standard WordPress plugin architecture, and common reflected XSS patterns found in SEO-related plugins. ### 1. Vulnerability Summary The **iRobots.txt SEO** plugin is vu…
Show full research plan
Since the source code for iRobots.txt SEO version 1.1.2 is not provided, this plan is based on the vulnerability description, standard WordPress plugin architecture, and common reflected XSS patterns found in SEO-related plugins.
1. Vulnerability Summary
The iRobots.txt SEO plugin is vulnerable to Reflected Cross-Site Scripting (XSS) due to a failure to properly sanitize and escape user-supplied input before rendering it in the admin dashboard. The vulnerability typically exists in the admin settings page, where a URL parameter (such as a configuration tab, search query, or status message) is echoed directly into the HTML response. An attacker can craft a malicious URL containing a script payload; if an authenticated administrator clicks this link, the script executes in their browser context.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/options-general.php(Standard for SEO plugins) or/wp-admin/admin.php. - Query Parameter:
page=irobotstxt-seo(inferred slug) along with a vulnerable reflection parameter such astab,msg, ors. - Authentication Level: Unauthenticated to craft/send the link; requires a Logged-in Administrator to click the link (Reflected XSS).
- Vulnerable Sink: Likely an
echoorprintfstatement inside the admin menu callback function.
3. Code Flow (Inferred)
- The plugin registers an admin page using
add_options_page()oradd_menu_page()with the slugirobotstxt-seo. - The callback function associated with this menu (e.g.,
irobotstxt_seo_admin_page()) is executed when the administrator visits the settings. - Inside the callback, the code retrieves a value from the
$_GETor$_REQUESTsuperglobals (e.g.,$active_tab = $_GET['tab'];). - The code outputs this value back to the page to indicate the current state or display a message (e.g.,
echo "<h2>Settings for $active_tab</h2>";) without usingesc_html()oresc_attr(). - The browser interprets the injected script tags, executing the attacker's payload.
4. Nonce Acquisition Strategy
Reflected XSS in a GET parameter typically occurs before or independently of any nonce-protected actions (like saving settings). Therefore, a nonce is likely not required to trigger the reflection.
However, if the goal is to leverage the XSS to perform an administrative action (e.g., creating a new admin user), the XSS payload must dynamically extract the required nonce from the page DOM using JavaScript.
Strategy for Payload (if needed for CSRF):
- Use
browser_navigateto load the settings page. - The reflection should occur immediately.
- If the payload needs to perform an action, use:
browser_eval("document.querySelector('#_wpnonce')?.value")to identify where nonces are stored in the admin UI for future chain exploitation.
5. Exploitation Strategy
Step 1: Identify the Vulnerable Parameter
The agent should test common reflection points in the admin slug.
- Target URL:
http://localhost:8080/wp-admin/options-general.php?page=irobotstxt-seo&tab=test_reflection - Payload:
</b><script>alert(1)</script>
Step 2: Execution via Playwright
The exploitation must be performed using the browser_navigate tool to simulate an administrator's session.
Request Details:
- Method:
GET - URL:
http://localhost:8080/wp-admin/options-general.php?page=irobotstxt-seo&tab=%3C/b%3E%3Cscript%3Ealert(document.domain)%3C/script%3E - Alternative URL:
http://localhost:8080/wp-admin/admin.php?page=irobotstxt-seo&msg=%3Cscript%3Econfirm(1)%3C/script%3E
Step 3: Verification of Execution
The agent will check if the script is present in the rendered HTML and if the browser's dialog handling (if triggered) confirms execution.
6. Test Data Setup
- Install Plugin: Ensure
irobotstxt-seoversion 1.1.2 is installed and activated. - User Creation: Create a standard administrator user (e.g.,
admin/password). - Session: Use
browser_navigateto log in as the administrator first to establish the authenticated session.
7. Expected Results
- The HTTP response should contain the raw, unescaped payload:
</b><script>alert(document.domain)</script>. - When viewed in a browser, a JavaScript alert box should trigger, or the script should be visible in the DOM as an executable block rather than encoded text (e.g., NOT
<script>).
8. Verification Steps
After attempting the injection:
- Check Page Source: Search for the string
alert(document.domain)in the response body. - Verify Non-Escaping: Confirm that
<and>characters are not converted to<and>. - DOM Inspection: Use
browser_evalto check if a specific element injected by the payload exists:browser_eval("document.body.innerHTML.includes('alert(document.domain)')")
9. Alternative Approaches
If the tab parameter is not vulnerable:
- Test
sparameter:?page=irobotstxt-seo&s=<script>alert(1)</script>(common in plugins with search/filter logs). - Test
errorormessageparameters: Some plugins reflect anerrorstring in a notice:?page=irobotstxt-seo&error=<img src=x onerror=alert(1)>. - Check for POST-based Reflection: Attempt to submit a settings form with a payload in a text field that is echoed back in a "Value saved: [payload]" message. This would require an
http_requestwith a valid nonce (which can be found usingbrowser_navigate+browser_eval).
Summary
The iRobots.txt SEO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in versions up to 1.1.2 due to insufficient input sanitization and output escaping. An unauthenticated attacker can exploit this by tricking an administrator into clicking a link that injects arbitrary scripts into the plugin's settings page.
Vulnerable Code
// Inferred vulnerable logic within the admin settings callback // Likely located in the main plugin file or admin display handler $active_tab = isset($_GET['tab']) ? $_GET['tab'] : 'general'; // ... echo "<h2>Settings for $active_tab</h2>"; // Reflection point without escaping --- // Alternative reflection point in admin notices if (isset($_GET['msg'])) { echo '<div class="updated"><p>' . $_GET['msg'] . '</p></div>'; }
Security Fix
@@ -10,5 +10,5 @@ -$active_tab = isset($_GET['tab']) ? $_GET['tab'] : 'general'; +$active_tab = isset($_GET['tab']) ? sanitize_text_field($_GET['tab']) : 'general'; -echo "<h2>Settings for $active_tab</h2>"; +echo "<h2>Settings for " . esc_html($active_tab) . "</h2>"; if (isset($_GET['msg'])) { - echo '<div class="updated"><p>' . $_GET['msg'] . '</p></div>'; + echo '<div class="updated"><p>' . esc_html($_GET['msg']) . '</p></div>'; }
Exploit Outline
The exploit targets the plugin's administration dashboard, typically found at /wp-admin/options-general.php?page=irobotstxt-seo. An attacker crafts a malicious URL containing a JavaScript payload (e.g., </b><script>alert(document.domain)</script>) within a vulnerable GET parameter such as 'tab', 'msg', or 's'. The attacker then tricks a logged-in administrator into visiting this URL via social engineering. Because the plugin reflects these parameters directly into the HTML response without sanitization (using functions like esc_html), the browser executes the script in the context of the administrator's session. No nonce is required to trigger the reflection.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.