Reporter Charles Hooper
`Multiple Vulnerabilities in WP Forum (WordPress Plugin)
1. Advisory Information
Title: Multiple Vulnerabilities in WP-Forum
Advisory URL: http://www.charleshooper.net/advisories/
Date Published: 12/17/2010
Vendors Contacted: WordPress. Maintainer of plugin is unreachable.
WP Forum is a plugin for the popular blog tool and publishing platform,
The author of WP Forum describes it as a "Simple discussion forum
"easy to use and administer."
There exist multiple vulnerabilities in WP Forum. Basically, input
validation is not
performed at all resulting in SQL injection, stored XSS, and reflected
Furthermore, the author wrote the plugin under the assumption that it
would only be
executed within the context of the WordPress administrative panel,
to perform proper authentication and authorization.
3. Vulnerability Information
Packages/Versions Affected: Probably all, but confirmed only on WP Forum
3a. Type: SQL Injection [CWE-89]
3a. Impact: Read application data, bypass protection mechanism,
modify application data. There are multiple SQL injections
in WP Forum. The most prominent of which is the SQL
in the `group_login` functionality. Prior to logging in, an
can retrieve each group's passwords due to the vulnerability
3b. Type: Plaintext Storage of a Password [CWE-256]
3b. Impact: Password is easily retrieved from database
3c. Type: XSS (Stored or Reflected) [CWE-79]
3c. Impact: Execute unauthorized code or commands
3d. Type: Auth Bypass via Direct Request [CWE-425]
3d. Impact: Many or all of the administrative functions assume they are
in the context of the WordPress administrative section. As a
they often do not check that the user is authenticated or
to perform a particular action. Example functionality
or removing forum moderators and deleting forums. This
could lead to information exposure, privilege escalation, or
3e. Type: Information Exposure Through Sent Data [CWE-201]
3e. Impact: `sendmail.php` discloses users' email addresses by accepting
provider "user" variable and returns a hidden <input/> tag
that user's email address.
3f. Type: External Control of Assumed-Immutable Web Parameter [CWE-472]
3f. Impact: `sendmail.php` accepts user-provided input allowing it to be
an email relay
4. PoC & Technical Description
Due to the number of vulnerabilities in this package, I will not discuss
individually. Instead, here are some sample POCs. Many more exploitable
in this package than what I am providing here.
or (goes for all POCs):
id>&groupname=<new group name>&passwd=<new group password>
id> (email address will be in HTML source)
4f. POST 'submit=true&sender=<from address>&email=<to
5. Report Timeline
12/10/2010 Initial email sent to WordPress security.
12/10/2010 Maintainer not yet contacted as project appears abandoned and
does not have listed contact information.
12/17/2010 No reply from WordPress security. Advisory released.
6a. The WordPress Plugin page for WP Forum:
6b. The WordPress Profile page for the author of the plugin:
6c. The plugin author's website:
This vulnerability report by Charles Hooper < email@example.com > is
licensed under a Creative Commons Attribution-NonCommercial-ShareAlike
3.0 Unported License.
Public Key: Obtainable via pool.sks-keyservers.net