Twenty Year Anniversary

WordPress 3.9.2 Cross Site Scripting

WordPress 3.9.2 Cross Site Scripting
Posted Nov 21, 2014
Authored by Jouko Pynnonen | Site

A security flaw in WordPress 3 allows injection of JavaScript into certain text fields. In particular, the problem affects comment boxes on WordPress posts and pages. These do not require authentication by default.

tags | advisory, javascript, xss
MD5 | 0f7f12faafeedc2e7b0977984f3b5a0a

WordPress 3.9.2 Cross Site Scripting

Change Mirror Download

A security flaw in WordPress 3 allows injection of JavaScript into certain
text fields. In particular, the problem affects comment boxes on WordPress
posts and pages. These don't require authentication by default.

The JavaScript injected into a comment is executed when the target user
views it, either on a blog post, a page, or in the Comments section of the
administrative Dashboard.

In the most obvious scenario the attacker leaves a comment containing the
JavaScript and some links in order to put the comment in the moderation
queue. The exploit is not then visible to normal users, search engines, etc.

When a blog administrator goes to the Dashboard/Comments section to review
new comments, the JavaScript gets executed. The script can then perform
operations with administrator privileges.

For instance, our PoC exploits first clean up traces of the injected script
from the database, then perform other administrative tasks such as changing
the current user's password, adding a new administrator account, or using
the plugin editor to write attacker-supplied PHP code on the server (this
impact applies to any WordPress XSS if triggered by an administrator).

These operations happen in the background without the user seeing anything
out of ordinary.

If the attacker writes new PHP code on the server via the plugin editor,
another AJAX request can be used to execute it instantaneously, whereby the
attacker gains operating system level access on the server.

The exploit will NOT be triggered directly at the Dashboard "root view"
because only snippets (20 first words) of the latest comments are shown
there with all HTML stripped.

If approved there, the exploit will be triggered by any user viewing the
targeted blog posting or page, with their corresponding privileges.

Plugins that let unprivileged users to enter HTML text may offer other
attack vectors.


WordPress allows a few HTML tags in comments, such as the anchor <A>, bold
<B>, and code <CODE> tags. Certain white-listed attributes are allowed in
each tag. Obviously, the "href" attribute is important for anchor tags, but
e.g. the "onmouseover" attribute would be undesirable.

The problem occurs in a text formatting function called wptexturize() which
is normally executed for each comment and other blocks of text. The
function replaces certain simple characters with fancier HTML entities. For
instance, straight quote symbols are replaced with opening and closing
curly quotes, unicode 8220 and 8221.

In order to avoid interfering with HTML formatting, wptexturize() first
splits the text in segments. The splitting is expected to pick HTML tags
(which aren't texturized) apart from running text (which is texturized).

In addition to HTML tags, the code is supposed to recognize
square-bracketed shortcodes such as [CODE] and avoid texturizing them.

The splitting is implemented with a regular expression in

$textarr = preg_split('/(<.*>|\[.*\])/Us', $text, -1,

A text containing carefully mixed square and angle brackets confuses the
splitting process and results in HTML code getting partially texturized.

An attacker can exploit the bug to supply any attributes in the allowed
HTML tags. A style attribute can be used to create a transparent tag
covering the whole window, forcing the execution of its onmouseover handler.

In practical applications the script would probably first remove the
transparent tag to avoid interfering with UI events and re-triggering
the handler.
It could then insert a new <SCRIPT> tag to load a more complex JavaScript
file to execute from another web server. This script can use e.g. jQuery to
chain AJAX operations for posting HTML forms and retrieving the required


We tested a few WordPress versions from 3.0 to the latest 3.9.2. All tested
versions were vulnerable. The problem seems to have gone uncorrected for
almost four years.

Version 4.0 uses a different kind of regular expression and is NOT
vulnerable to this problem.


Texturizing can be easily disabled by adding a return statement in the
beginning of the function in wp-includes/formatting.php:

function wptexturize($text) {
return $text; // ADD THIS LINE
global $wp_cockneyreplace;

This changes how some punctuation marks look like but the difference is
quite minor.

We have also made a WordPress plugin available for disabling texturization. For
more information and an up-to-date version of this document, please refer
to our website

The preferred solution should be applying the official patch released by


WordPress was notified on September 26 and has released patches correcting
the problem. The WordPress security advisory is available at


The vulnerability was discovered and researched by Jouko Pynnonen, Klikki
Oy, Finland.

Jouko Pynnonen <>
Klikki Oy -


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    20 Files
  • 17
    Oct 17th
    19 Files
  • 18
    Oct 18th
    21 Files
  • 19
    Oct 19th
    16 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    19 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2018 Packet Storm. All rights reserved.

Security Services
Hosting By