what you don't know can hurt you

WordPress 3.9.2 Cross Site Scripting

WordPress 3.9.2 Cross Site Scripting
Posted Nov 21, 2014
Authored by Jouko Pynnonen | Site klikki.fi

A security flaw in WordPress 3 allows injection of JavaScript into certain text fields. In particular, the problem affects comment boxes on WordPress posts and pages. These do not require authentication by default.

tags | advisory, javascript, xss
MD5 | 0f7f12faafeedc2e7b0977984f3b5a0a

WordPress 3.9.2 Cross Site Scripting

Change Mirror Download

A security flaw in WordPress 3 allows injection of JavaScript into certain
text fields. In particular, the problem affects comment boxes on WordPress
posts and pages. These don't require authentication by default.

The JavaScript injected into a comment is executed when the target user
views it, either on a blog post, a page, or in the Comments section of the
administrative Dashboard.

In the most obvious scenario the attacker leaves a comment containing the
JavaScript and some links in order to put the comment in the moderation
queue. The exploit is not then visible to normal users, search engines, etc.

When a blog administrator goes to the Dashboard/Comments section to review
new comments, the JavaScript gets executed. The script can then perform
operations with administrator privileges.

For instance, our PoC exploits first clean up traces of the injected script
from the database, then perform other administrative tasks such as changing
the current user's password, adding a new administrator account, or using
the plugin editor to write attacker-supplied PHP code on the server (this
impact applies to any WordPress XSS if triggered by an administrator).

These operations happen in the background without the user seeing anything
out of ordinary.

If the attacker writes new PHP code on the server via the plugin editor,
another AJAX request can be used to execute it instantaneously, whereby the
attacker gains operating system level access on the server.

The exploit will NOT be triggered directly at the Dashboard "root view"
because only snippets (20 first words) of the latest comments are shown
there with all HTML stripped.

If approved there, the exploit will be triggered by any user viewing the
targeted blog posting or page, with their corresponding privileges.

Plugins that let unprivileged users to enter HTML text may offer other
attack vectors.


WordPress allows a few HTML tags in comments, such as the anchor <A>, bold
<B>, and code <CODE> tags. Certain white-listed attributes are allowed in
each tag. Obviously, the "href" attribute is important for anchor tags, but
e.g. the "onmouseover" attribute would be undesirable.

The problem occurs in a text formatting function called wptexturize() which
is normally executed for each comment and other blocks of text. The
function replaces certain simple characters with fancier HTML entities. For
instance, straight quote symbols are replaced with opening and closing
curly quotes, unicode 8220 and 8221.

In order to avoid interfering with HTML formatting, wptexturize() first
splits the text in segments. The splitting is expected to pick HTML tags
(which aren't texturized) apart from running text (which is texturized).

In addition to HTML tags, the code is supposed to recognize
square-bracketed shortcodes such as [CODE] and avoid texturizing them.

The splitting is implemented with a regular expression in

$textarr = preg_split('/(<.*>|\[.*\])/Us', $text, -1,

A text containing carefully mixed square and angle brackets confuses the
splitting process and results in HTML code getting partially texturized.

An attacker can exploit the bug to supply any attributes in the allowed
HTML tags. A style attribute can be used to create a transparent tag
covering the whole window, forcing the execution of its onmouseover handler.

In practical applications the script would probably first remove the
transparent tag to avoid interfering with UI events and re-triggering
the handler.
It could then insert a new <SCRIPT> tag to load a more complex JavaScript
file to execute from another web server. This script can use e.g. jQuery to
chain AJAX operations for posting HTML forms and retrieving the required


We tested a few WordPress versions from 3.0 to the latest 3.9.2. All tested
versions were vulnerable. The problem seems to have gone uncorrected for
almost four years.

Version 4.0 uses a different kind of regular expression and is NOT
vulnerable to this problem.


Texturizing can be easily disabled by adding a return statement in the
beginning of the function in wp-includes/formatting.php:

function wptexturize($text) {
return $text; // ADD THIS LINE
global $wp_cockneyreplace;

This changes how some punctuation marks look like but the difference is
quite minor.

We have also made a WordPress plugin available for disabling texturization. For
more information and an up-to-date version of this document, please refer
to our website http://klikki.fi

The preferred solution should be applying the official patch released by


WordPress was notified on September 26 and has released patches correcting
the problem. The WordPress security advisory is available at



The vulnerability was discovered and researched by Jouko Pynnonen, Klikki
Oy, Finland.

Jouko Pynnonen <jouko@iki.fi>
Klikki Oy - http://klikki.fi


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    15 Files
  • 2
    Mar 2nd
    5 Files
  • 3
    Mar 3rd
    3 Files
  • 4
    Mar 4th
    25 Files
  • 5
    Mar 5th
    20 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    12 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    4 Files
  • 11
    Mar 11th
    23 Files
  • 12
    Mar 12th
    12 Files
  • 13
    Mar 13th
    12 Files
  • 14
    Mar 14th
    19 Files
  • 15
    Mar 15th
    12 Files
  • 16
    Mar 16th
    3 Files
  • 17
    Mar 17th
    1 Files
  • 18
    Mar 18th
    15 Files
  • 19
    Mar 19th
    22 Files
  • 20
    Mar 20th
    14 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    15 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2019 Packet Storm. All rights reserved.

Security Services
Hosting By