what you don't know can hurt you

WordPress 4.5.3 Audio Playlist Cross Site Scripting

WordPress 4.5.3 Audio Playlist Cross Site Scripting
Posted Mar 7, 2017
Authored by Yorick Koster, Securify B.V.

WordPress version 4.5.3 Audio Playlist suffers from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | 03337762b5f9e7ec64dbec0de777fb10

WordPress 4.5.3 Audio Playlist Cross Site Scripting

Change Mirror Download
------------------------------------------------------------------------
WordPress audio playlist functionality is affected by Cross-Site
Scripting
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Two Cross-Site Scripting vulnerabilities exists in the playlist
functionality of WordPress. These issues can be exploited by convincing
an Editor or Administrator into uploading a malicious MP3 file. Once
uploaded the issues can be triggered by a Contributor or higher using
the playlist shortcode.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160717-0003

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on the WordPress version 4.5.3.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
These issues are resolved in WordPress version 4.7.3.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html

It was discovered that meta information (ID3) stored in audio files are not properly sanitized in case they are uploaded by a user with the unfiltered_html (generally an Editor or Administrator).

The first Cross-Site Scripting vulnerability exists in the function that processes the playlist shortcode, which is done in the wp_playlist_shortcode() method (/wp-includes/media.php). This method creates a <noscript> block for users with JavaScript disabled.


The method wp_get_attachment_link() does not perform any output encoding on the link text. Meta information from the audio file is used in the link text, rendering wp_playlist_shortcode() vulnerable to Cross-Site Scripting.

The second Cross-Site Scripting issue is DOM-based and exists in the JavaScript file /wp-includes/js/mediaelement/wp-playlist.js (or /wp-includes/js/mediaelement/wp-playlist.min.js). The WPPlaylistView object is used to render a audio player client side. The method renderTracks() uses the meta information from the audio file in a call to jQuery's append() method. No output encoding is used on the meta information, resulting in a Cross-Site Scripting vulnerability.


Proof of concept

The following MP3 file can be used to reproduce this issue:

https://securify.nl/advisory/SFY20160742/xss.mp3

1) upload MP3 file to the Media Library (as Editor or Administrator).
2) Insert an Audio Playlist in a Post containing this MP3 (Create Audio Playlist).

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

Login or Register to add favorites

File Archive:

June 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    35 Files
  • 2
    Jun 2nd
    14 Files
  • 3
    Jun 3rd
    40 Files
  • 4
    Jun 4th
    22 Files
  • 5
    Jun 5th
    1 Files
  • 6
    Jun 6th
    1 Files
  • 7
    Jun 7th
    19 Files
  • 8
    Jun 8th
    14 Files
  • 9
    Jun 9th
    39 Files
  • 10
    Jun 10th
    20 Files
  • 11
    Jun 11th
    22 Files
  • 12
    Jun 12th
    2 Files
  • 13
    Jun 13th
    1 Files
  • 14
    Jun 14th
    32 Files
  • 15
    Jun 15th
    34 Files
  • 16
    Jun 16th
    9 Files
  • 17
    Jun 17th
    33 Files
  • 18
    Jun 18th
    11 Files
  • 19
    Jun 19th
    1 Files
  • 20
    Jun 20th
    3 Files
  • 21
    Jun 21st
    2 Files
  • 22
    Jun 22nd
    21 Files
  • 23
    Jun 23rd
    19 Files
  • 24
    Jun 24th
    12 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close