XSS and WPML Using Accept-Language Header

WPML is a famous premium multilingual plugin for WordPress.

On 08/31/2015 the version 3.2.7 fix a XSS flaw already there since v2.9.3.

The file is ajax.php at plugin’s root, the code is:

[pastacode lang=”php” message=”” highlight=”” provider=”manual” manual=”case%20’get_browser_language’%3A%0A%09%09%24http_accept_language%20%20%20%20%20%20%20%20%20%20%20%20%3D%20%24_SERVER%5B%20’HTTP_ACCEPT_LANGUAGE’%20%5D%3B%0A%09%09%24accepted_languages%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3D%20explode(%20’%3B’%2C%20%24http_accept_language%20)%3B%0A%09%09%24default_accepted_language%20%20%20%20%20%20%20%3D%20%24accepted_languages%5B%200%20%5D%3B%0A%09%09%24default_accepted_language_codes%20%3D%20explode(%20’%2C’%2C%20%24default_accepted_language%20)%3B%0A%09%09echo%20wpml_mb_strtolower(%20%24default_accepted_language_codes%5B%200%20%5D%20)%3B%0Aexit%3B”/]
The plugin will read the Accept-Language header, cut it using ;, take the first element, cut it using ,, take the first element again and displays it lowercased.

The flaw is that there is no sanitization o the output, so it’s easy to modify a HTTP request header to insert JS code that will be executed, or even full PHP code that could be included later using a LFI (Local File Inclusion) flaw..

The version 3.2.7 fix the flaw adding sanitization on the ouput.

About Julio Potier All of Julio Potier's posts

Creator of SecuPress and the LearnWPSecurity Training, Julio is also lead organisator of WordCamp Lille.
Compulsive speaker, Senior Trainer and WordPress Engineer, he's a specialist in security since 2002 and contribute to WordPress various ways.