I would like describe a step-by-step of my latest “appreciation program” reward on a security issue in a WordPress plugin.
First things first – check if the blog is in-scope of the program. If it is, continue to read this article. If not, you can just see my other tips about #bugbounty (here  and here).

I’m a big fan of WPScan. It’s a great Ruby tool to scan a WordPress installation. It uses a black box approach but still a must use in my opinion.
WPScan didn’t find any real security issue on my target but showed me the list of plugins used:

ruby wpscan.rb –url www.target.com –enumerate p

So I picked one by one to search for open vulnerabilities or something interesting on their changelog. Nothing…
I needed to start auditing them.

I picked Events Made Easy plugin  and installed it on my local box. The plugin is quite simple and I noticed that nonce WordPress security token or any other form protection was missing in some places [when auditing the source-code]. Also some of the variables were not sanitized so I could attack it with a CSRF and a Persistent XSS.

I started creating a proof-of-concept based on my findings – check the advisory.
I reported the security issue to the “appreciation program”, vendor and requested a CVE reference.

So my steps were:

  1. WordPress blog is in scope for reward
  2. Scan it with WPScan [don’t forget to enumerate the plugins]
  3. Analyze the results
  4. If scanning got you a vulnerability, report it! If not, download the plugins used, audit the source-code and create a proof-of-concept

Here you have some public bounties I found on Nexmo on their blog – https://cobalt.io/nexmo/reports/17 and https://cobalt.io/nexmo/reports/18

Small tip: Sometimes even a full disclosure can get you a small bounty 🙂 https://cobalt.io/nexmo/reports/15

Leave a Reply