------------------------------------------------------------------------
Cross-Site Scripting in Store Locator Plus for WordPress
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in Store Locator Plus for
WordPress. This issue allows an attacker to perform a wide variety of
actions, such as stealing Administrators' session tokens, or performing
arbitrary actions on their behalf. In order to exploit this issue, the
attacker has to lure/force a logged on WordPress Administrator into
opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0025

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Store Locator Plus for WordPress
[2] version 4.5.09.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been addressed in Store Locator Plus for WordPress
version 4.5.12 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Store Locator Plus for WordPress [2] is a location mapping and directory
system with over 10,000 active installations. A Cross-Site Scripting
vulnerability was found in Store Locator Plus for WordPress. This issue
allows an attacker to perform a wide variety of actions, such as
stealing Administrators' session tokens, or performing arbitrary actions
on their behalf.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue exists in the file include/class.admin.locations.add.php and
is caused due to the lack of output encoding on the start request
parameter.

$this->section_params['opening_html'] =
	"<form id='manualAddForm' name='manualAddForm' method='post'>" .
	( $this->adding ? '<input type="hidden" id="act" name="act" value="add"
/>' : '<input type="hidden" id="act" name="act" value="edit" />' ) .
	"<input type='hidden' name='id' " .
	"id='id' value='{$this->slplus->currentLocation->id}' />" .
	"<input type='hidden' name='locationID' " .
	"id='locationID' value='{$this->slplus->currentLocation->id}' />" .
	"<input type='hidden'
name='linked_postid-{$this->slplus->currentLocation->id}' " .
	"id='linked_postid-{$this->slplus->currentLocation->id}' value='" .
	$this->slplus->currentLocation->linked_postid .
	"' />" .
	( isset( $_REQUEST['start'] ) ? "<input type='hidden' name='start'
id='start' value='{$_REQUEST['start']}' />" : '' ) .
	"<a name='a{$this->slplus->currentLocation->id}'></a>";
	
In order to exploit this issue, the attacker has to lure/force a logged
on WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
http://<target>/wp-admin/admin.php?page=slp_manage_locations&start=%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_store_locator_plus_for_wordpress.html
[2] https://wordpress.org/plugins/store-locator-le/
[3] https://downloads.wordpress.org/plugin/store-locator-le.4.5.12.zip