A full-version stored XSS plug-in WordPress can be used in the background to affect more than 30 thousand websites

A full-version stored XSS plug-in WordPress can be used in the background to affect more than 30 thousand websites

Today, I entered my blog background as usual. I opened the SEO Redirection plug-in setting interface to check the redirect status of my website and see if anyone scanned my website or crawlers.

The plugin page is recorded by this plug-in.



The problem lies in the History page: The plug-in will display the jump link in the background without any filtering.



If this plug-in is installed on a WP website, we only need to access a simple link:

http://xxx.xxx/<script>alert(1)</script>

The link is displayed in the background of the website and the script is executed.
 

Test the cookie. The cookie is successfully received.
 

Because this jump record will always exist in the background if it is not manually cleared, every time the webmaster enters this page, it will be hit once, so there is no need to worry about cookie expiration issues.



This plug-in will also create three tables in the database, and the historical jump records will also be written to the database,
 

Due to the limited level, it is unclear whether such operation would pose a greater risk.



This plug-in has been installed by more than 30 thousand webmasters, so the harm is quite high.
 

If you write a crawler and match the website fingerprint to run all WP sites, all websites installed with this plug-in will be shot down. Of course I did not do this :)

 

 

 

Solution:

1. filter the output page in the background;

2. consider changing the storage mode of the link in the database.