Objective: Find, analyze, recreate, and document five vulnerabilities affecting an old version of WordPress
- Summary: An unathorized user/attacker can inject JavaScrip in WordPress comments, which will be triggered when the comment is viewed. If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.
- Vulnerability types: XSS
- Tested in version: 4.2
- Fixed in version: 4.2.1
- GIF Walkthrough:
- Steps to recreate:
- Enter as a comment the following:
<a title='x onmouseover=alert(unescape(/hello%20world/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px AAAAAAAAAAAA...[64 kb]..AAA'></a>
- Affected source code:
- Not Found
- Summary: A persistent Cross-Site-Scripting vulnerability where an attacker can create a speciall crafted image file name, which when uploaded in WordPress, injects malicious JavaScript code into the application. This could lead to the theft of user session tokens or login credentials. Notice this involves social engineering.
- Vulnerability types: XSS
- Tested in version: 4.2
- Fixed in version: 4.2.10
- GIF Walkthrough:
- Steps to recreate:
- Add any new media file and change its name/title to
<img src=a onerror=alert(document.cookie)>.jpg
- Change the
Link to
option from the drop-down menu, and set it toAttachment Page
- Add any new media file and change its name/title to
- Affected source code:
- Summary: Combined with the recent content injection vulnerability we found, it’s possible for a remote attacker to deface a random post on the site and store malicious Javascript code in it. This code would be executed when a visitors view the post and when anyone edits the post from the WordPress dashboard. As a result, an administrator tries to fix the defaced post, the would unknowingly trigger the malicious script, which could then be used to put a backdoor on the site and create new admin users.
- Vulnerability types: XSS
- Tested in version: 4.2
- Fixed in version: 4.2.13
- GIF Walkthrough:
- Steps to recreate:
- Create a new post
- Edit the post as Text, and embed the following:
[embed src='http://youtube.com/embed/12345\x3csvg onload=alert(1)\x3e'][/embed]
- View post
- Affected source code:
Image for Report # 2 was downloaded from mob.org
- WordPress Source Browser
- WordPress Developer Reference
- WordPress 4.2 core stored XSS
- Packet Storm Security -- Persistent XSS
- WordPress Unsafe Processing of File Names
- Stored XSS in WordPressCore
GIFs created with ScreenToGif for Windows
Copyright [2022] [alem-m]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.