[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Wordpress v5.9 - Reflected Cross Site Scripting Web Vulnerability

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Wordpress v5.9 - Reflected Cross Site Scripting Web Vulnerability
From: "info@xxxxxxxxxxxxxxxxxxxxx" <info@xxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 17 Feb 2022 12:23:17 +0100

Document Title:
===============
Wordpress v5.9 - Reflected Cross Site Scripting Web Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2316


Release Date:
=============
2022-02-09


Vulnerability Laboratory ID (VL-ID):
====================================
2316


Common Vulnerability Scoring System:
====================================
4.2


Vulnerability Class:
====================
Cross Site Scripting - Non Persistent


Current Estimated Price:
========================
1.000€ - 2.000€


Product & Service Introduction:
===============================
WordPress (WP, WordPress.org) is a free and open-source content management 
system (CMS) written in PHP and paired
with a MySQL or MariaDB database. Features include a plugin architecture and a 
template system, referred to within
WordPress as Themes. WordPress was originally created as a blog-publishing 
system but has evolved to support other
web content types including more traditional mailing lists and forums, media 
galleries, membership sites, learning
management systems (LMS) and online stores. One of the most popular content 
management system solutions in use,
WordPress is used by 42.8% of the top 10 million websites as of October 2021.

(Copy of the Homepage: wikipedia.com)


Abstract Advisory Information:
==============================
An independent vulnerability  researcher discovered a reflected cross site web 
vulnerability in the official Wordpress v5.9 framework.


Affected Product(s):
====================
Wordpress.org
Product: Wordpress v5.9 - Blog (PHP) (Web-Application)


Vulnerability Disclosure Timeline:
==================================
2022-02-09: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted Authentication (Moderator Privileges)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Responsible Disclosure


Technical Details & Description:
================================
The reflected xss can be exploited when a user with the AUTHOR or CONTRIBUTOR 
role adds a javascript
payload in the Post's Excerpt function, whenever a user wants to use the Add 
Block function in their post
or page, the xss will be executed. Also the post and page editor allows 
executing the xss payload
directly just by copying and pasting the malicious javascript.


Proof of Concept (PoC):
=======================
The non-persistent cross site scripting web vulnerability can be exploited by 
remote attackers with contributor or author user account (authenticated)
and with low user interaction. For security demonstration or to reproduce the 
cross site web vulnerability follow the provided
information and steps below to continue.


Note: Cross-Site Scripting will be executed, since in all the sections where 
the editor and search engine of the
add block function can be used as well as in the post and page section of the 
editor with the copy and paste function.


POC1:The malicious Excerpt will be executed in the post and page sections at 
the moment you want to use the add new block
function and typing some name in the search engine of the add block function 
reflecting it in all the wordpress editor sections.

1.) Login whit user author or contributor
2.) Add new post
3.) Add Block Post Excerpt

4.) Add malicious code in the Extract function (<object data="javascript:alert(0)">)5.) Replicated


POC2 IN BLOCK FUCTION
1.) Login whit user author
2.) Add new post
3.) Publish Post

4.) Add malicious code in the Extract function (<object data="javascript:alert(0)">)5.) In the post editor add a new block

6.) Search for something in the block search engine7.) Replicated

POC3: XSS IN POST & PAGE EDITOR
1.) Login whit user author or contributor
2.) Add new post

3.) Copy & Page (<object data="javascript:alert(0)">) in editor4.)4.) Replicated



Firefox Payload:
<object data="javascript:alert('xss')">
<object data=/ onload=alert(1)>
<iframe src="javascript:alert(1)">

Chrome Payload:
<form><button formaction=javascript:alert(1)>XSS
<iframe src="javascript:alert(1)">
<form action=javascript:alert(1)><input type=submit value=XSS>

Poc Image:
https://i.imgur.com/WiaEUEE.png
https://i.imgur.com/voJptm0.png

Poc Video
https://www.youtube.com/watch?v=hUY00Vg6wOk


Solution - Fix & Patch:
=======================
The vulnerability can be resolved by a encode and secure parse / escape of the 
inputs.
In a second step the output location were the execute occurs needs to be 
sanitized.

Note: Wordpress is informed about the issue and is in progress to develop an 
update. The researcher notet to public disclose the finding immediatly.
Until the patch is available, ensure that only trusted persons have access to 
contributor or author roles. As alternativ it is possible
to deactivate the accounts until a patch is available.


Credits & Authors:
==================
TaurusOmar (@TaurusOmar_) 
-https://www.vulnerability-lab.com/show.php?user=TaurusOmar


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been 
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or 
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data.

Domains:        https://www.vulnerability-lab.com  ;    
https://www.vuln-lab.com  ;https://www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the 
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

                                    Copyright © 2022 | Vulnerability Laboratory - 
[Evolution Security GmbH]™



--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Car Portal Template - (Search) Persistent Web Vulnerability
Next by Date: [FD] Vicidial v2.14-783a - (DB) SQL Injection Web Vulnerability
Previous by thread: [FD] Car Portal Template - (Search) Persistent Web Vulnerability
Next by thread: [FD] Vicidial v2.14-783a - (DB) SQL Injection Web Vulnerability
Index(es):
- Date
- Thread