XSS vulnerability in Wordpress themes by Kriesi

According to my tests, the following premium Wordpress themes by Kriesi are affected by a reflected Cross-site Scripting (XSS) vulnerability:

• Abundance - 1,952 sales
• Eunoia - 378 sales
• Choices - 1,248 sales
• Brightbox - 892 sales
• Broadscope - 1,039 sales
• Corona - 1,712 sales
• Flashlight - 2,956 sales
• Coalition - 1,079 sales
• Shoutbox - 988 sales
• Velvet - 600 sales
• Upscale - 346 sales
• Expose - 473 sales
• Propulsion - 2,133 sales (added 30-Oct)
• Sentence - 712 sales (added 30-Oct)

Sales figures are based on Themeforest statistics. Over 16,000 web sites could be affected.

Developer status: notified initially on 5th of October
Latest developer response (24-Oct) : rolling out fixes in the near future.
Developer home page: http://www.kriesi.at/
Official support forum: http://www.kriesi.at/support/

Examples

Broadscope theme: injecting a fake login form using the iframe-tag (note: potential attacker would most likely mimic the target site layout and style):

Choices theme: external Javascript that displays the browser cookie:

Further reading:

Analysis of 15 million cyber attacks - posted on 22-Oct on Help Net Security. According to the article, XSS is now the most common attack type.

Update 30-Oct:
- The Open Source Vulnerability Database entries can be found from here
- My post on Themeforest forum was removed without explanation
- Propulsion and Sentence themes added

XSS vulnerability in four premium WordPress themes

According to my tests, the following premium WordPress themes are affected by a reflected Cross-site Scripting (XSS) vulnerability:

• BigBang  (1,229 purchases), AirWP (946 purchases) and ZigZag (1,978 purchases) by Brankic1979
• Convergence (1,941 purchases) by Maximus

Developer status: notified, no responses.

Based on the Themeforest purchase statistics, over 6,000 sites could be affected.

BigBang XSS test example - remote Javascript execution:

  

Convergence XSS test example - remote iframe injection:

Because the number of potentially affected sites is high, it would be important to spread this information.

Further reading:
WordPress Themes: XSS Vulnerabilities and Secure Coding Practices by Tony Perez

XSS vulnerability in Imediapixel premium WordPress themes

Back to WordPress theme testing.

According to my tests, the following premium WordPress themes by imediapixel are affected by a reflected Cross-site Scripting (XSS) vulnerability:

• ECOBIZ
• Ebiz
• Avanix
• Ovum

 Developer status: tried to contact vie e-mail and Themeforest forum - no responses.

Screen-shot of the ECOBIX theme basic XSS test - remote Javascript execution:

I have also tested some corporate sites using the ECOBIZ theme. They were all affected.

Based on the Themeforest purchase statistics, there could be over 4,000 affected websites.

Further reading:
WordPress Themes: XSS Vulnerabilities and Secure Coding Practices by Tony Perez

XSS vulnerability in multiple D+M group sites

According to my tests, the following D+M Group web-sites are vulnerable to reflected Cross-site Scripting (XSS):

• Denon - the following sites were tested:
• denon.co.uk 
• denon.de
• denoneu.com  
• denon.com.cn 
• usa.denon.com
• ca.denon.com
• denon.fi
• denon.ru
• denon-online.ch
• denon.jp
• denon.fr
• Marantz - the following sites were tested:
• marantz.co.uk
• marantzitaly.com  
• marantz.com.hk 
• allen-heath.com  
• mcintoshlabs.com 

Vendor status: notified and reported on 30-Sep-2011 to Global CMS Architect of D+M Group

Vendor response: thank you (however, vendor has not fixed any of the sites. Retested on 6-Oct-2012)

 Screen-shots of basic tests:

1) Allen-heath.com remote Javascript

2) Mcintoshlabs.com simple iframe 'injection''

3) Denon.de "login" form created with Javascript. Note: this is a generic test case. Real attacker would most likely mimic the site layout, colors and fonts.

4) Marantz.co.uk remote Javascript execution

5) Denon.fi basic XSS test using latest Chrome browser. Although some browsers have "anti-XSS" - features, there are known workarounds and "hacks". Developers should not trust browser security alone.

XSS vulnerability in Southwest Airlines

Southwest Airlines suffers from a reflected Cross-site Scripting (XSS) vulnerability.

Update 30-Dec-2012: This issue has been fixed.


I have tried to contact Southwest using various channels: e-mails, contact forms, persons via LinkedIn etc. I have not received a single response in four months.

One channel I did not even try this time is US-CERT, because they have not responded to my earlier e-mails.

I hope companies would open a working channel for security researchers and pentesters. Simple e-mail address like security at company.com would be nice.


Responsible disclosure requires responsible vendors.

XSS vulnerability in Parallelus premium WordPress themes

According to my tests, at least the following premium WordPress themes by Parallelus are affected by a reflected Cross-site Scripting (XSS) vulnerability:

• Unite
• Salutation
• Intersect
• Traject

Developer status: contact attempt through a web-form, no response. I have also tried to contact two sites using the Unite-theme, but there has been no responses.

Update from the developer: all affected Parallelus themes are now corrected

Screen-shot of the Unite theme XSS vulnerability:

Screen-shot of a website using one of these themes - test case executes a remote Javascript:

Developer's Themeforest profile indicates over 18,000 completed sales, but not all the themes and templates are vulnerable. The number of potentially affected sites could still be high: there has been 4,816 purchases of the Unite-theme alone. Affected sites include personal blogs, but also corporate websites.

I have tested several premium WordPress themes during the last week. The number of found issues is alarming. These cases are challenging from pentesting perspective:

• identifying potentially affected sites is a big task due to high volumes
• contacting all affected sites would take too much time
• many of the developers are difficult to reach and they might consider XSS as a minor issue

Therefore I'm trying to spread information through this blog and Twitter. Please help me if you think it is important to share information especially with the affected sites.

Update 6-Oct-2012 - online references:
F-Secure weblog posting
Threatpost news entry
PC Maganize Securitywatch
OSVDB entries

XSS vulnerability in BigFeature WordPress premium theme

BigFeature WordPress premium theme by Vfxdude is vulnerable to reflected Cross-site Scripting (XSS).

Developer status: notified. Developer response: issue has been fixed

Screen-shot of the XSS test:

Theme upgade is recommended. Theme developer has a support forum and online FAQ.

The number of affected sites is unknown. Themeforest statistics indicates that 4636 purchases have been completed. I tested nine different sites using this theme and they were all affected.

Further reading:
What's Cross-site Scripting -  MakeUseOf-article, July 2012
Why XSS is so serious business a blog post by Troy Hunt, August 2012
The Open Web Application Security Project (OWASP) TOP-10-A2