WordPress Flaws and Vulnerabilities

XSS and WPML Using Accept-Language Header

Blog WordPress Flaws and Vulnerabilities XSS and WPML Using Accept-Language Header

September 2, 2015 0 comments

WPML is a famous premium multilingual plugin for WordPress.

On 08/31/2015 the version 3.2.7 fix a XSS flaw already there since v2.9.3.

The file is ajax.php at plugin’s root, the code is:

case 'get_browser_language':
		$http_accept_language            = $_SERVER[ 'HTTP_ACCEPT_LANGUAGE' ];
		$accepted_languages              = explode( ';', $http_accept_language );
		$default_accepted_language       = $accepted_languages[ 0 ];
		$default_accepted_language_codes = explode( ',', $default_accepted_language );
		echo wpml_mb_strtolower( $default_accepted_language_codes[ 0 ] );
exit;

The plugin will read the Accept-Language header, cut it using ;, take the first element, cut it using ,, take the first element again and displays it lowercased.

The flaw is that there is no sanitization o the output, so it’s easy to modify a HTTP request header to insert JS code that will be executed, or even full PHP code that could be included later using a LFI (Local File Inclusion) flaw..

The version 3.2.7 fix the flaw adding sanitization on the ouput.

baw_150902-0115451

About Julio Potier All of Julio Potier's posts

Creator of SecuPress and the LearnWPSecurity Training, Julio is also lead organisator of WordCamp Lille.
Compulsive speaker, Senior Trainer and WordPress Engineer, he's a specialist in security since 2002 and contribute to WordPress various ways.

This might interest you too

Vulnerabilities Exists in Popular WordPress Plugins Too

WordPress 4.9.6 Vulnerability let authors delete any file, updated video

WordPress 4.8.3 – Security Release