I would like describe a step-by-step of my latest “appreciation program” reward on a security issue in a WordPress plugin.
First things first – check if the blog is in-scope of the program. If it is, continue to read this article. If not, you can just see my other tips about #bugbounty (here and here).
I’m a big fan of WPScan. It’s a great Ruby tool to scan a WordPress installation. It uses a black box approach but still a must use in my opinion.
WPScan didn’t find any real security issue on my target but showed me the list of plugins used:
ruby wpscan.rb –url www.target.com –enumerate p
So I picked one by one to search for open vulnerabilities or something interesting on their changelog. Nothing…
I needed to start auditing them.
I picked Events Made Easy plugin and installed it on my local box. The plugin is quite simple and I noticed that nonce WordPress security token or any other form protection was missing in some places [when auditing the source-code]. Also some of the variables were not sanitized so I could attack it with a CSRF and a Persistent XSS.
I started creating a proof-of-concept based on my findings – check the advisory.
I reported the security issue to the “appreciation program”, vendor and requested a CVE reference.
So my steps were:
- WordPress blog is in scope for reward
- Scan it with WPScan [don’t forget to enumerate the plugins]
- Analyze the results
- If scanning got you a vulnerability, report it! If not, download the plugins used, audit the source-code and create a proof-of-concept
Small tip: Sometimes even a full disclosure can get you a small bounty 🙂 https://cobalt.io/nexmo/reports/15