[Plugin: Comment Technical Data] This Plug-in needs more sanitation of fields sent back, when emaile

This plug-in sends extra info about the commenter back to the WordPress admin. However, some of the fields such as the USER-AGENT, can be spoofed and send back <Script> tags in the spoofed agent without sanitation. Every field should have htmlentities wrapped around them before sending the email to the site owner to help mitigate attacks. We found this because someone using TOR was attacking our site with the same refJS tag, and we didn’t have this plug-in installed, but was caught by one of our tools we wrote to check for attacks. After investigating it lead us to this plug-in, and we could see in the source code some of the files are slashed, but much of it can be spoofed such as the USER-AGENT field to contain javascript. Someone attacking my own site knows of this flaw and is actively trying to exploit it in the wild, even though I don’t run it on my own site.

It would seem if the admin was using a web based email reader that also natively allowed JavaScript to run in their email client, an attacker could scrape the admins email URL, session and cookies, possibly gaining access to the admins email account. If successful, they could use the wordpress password reset feature, intercept the email link and then login as the admin to perform other attacks.

We’ve only gone as far as trying basic XSS alerts, but with someone who spent more time digging into the spoof data it might also be possible to send a CSRF if the admin was logged in and the code executed against their email reader or redirected them to their own wordpress site to send commands.

http://wordpress.org/extend/plugins/comment-technical-data/