WordPress Flaws and Vulnerabilities

XSS and WPML Using Accept-Language Header

Blog WordPress Flaws and Vulnerabilities XSS and WPML Using Accept-Language Header

WPML is a famous premium multilingual plugin for WordPress.

On 08/31/2015 the version 3.2.7 fix a XSS flaw already there since v2.9.3.

The file is ajax.php at plugin’s root, the code is:

[pastacode lang=”php” message=”” highlight=”” provider=”manual” manual=”case%20’get_browser_language’%3A%0A%09%09%24http_accept_language%20%20%20%20%20%20%20%20%20%20%20%20%3D%20%24_SERVER%5B%20’HTTP_ACCEPT_LANGUAGE’%20%5D%3B%0A%09%09%24accepted_languages%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3D%20explode(%20’%3B’%2C%20%24http_accept_language%20)%3B%0A%09%09%24default_accepted_language%20%20%20%20%20%20%20%3D%20%24accepted_languages%5B%200%20%5D%3B%0A%09%09%24default_accepted_language_codes%20%3D%20explode(%20’%2C’%2C%20%24default_accepted_language%20)%3B%0A%09%09echo%20wpml_mb_strtolower(%20%24default_accepted_language_codes%5B%200%20%5D%20)%3B%0Aexit%3B”/]
The plugin will read the Accept-Language header, cut it using ;, take the first element, cut it using ,, take the first element again and displays it lowercased.

The flaw is that there is no sanitization o the output, so it’s easy to modify a HTTP request header to insert JS code that will be executed, or even full PHP code that could be included later using a LFI (Local File Inclusion) flaw..

The version 3.2.7 fix the flaw adding sanitization on the ouput.