Wordpress has a vulnerability that could lead to javascript execution and (thus) privileged escalation via an admin visiting the wrong page via specially crafted JavaScript. Unicode characters are escaped by javascript but they are not escaped serverside. Iβve checked the latest version (4.6.1) at the time of writing this report and it is vulnerable.
Steps to reproduce:
Note that an image could be specially crafted with a 0-sized iframe and upon an administrator visiting the page could redirect via javascript to create another user account leading to privilege escalation.
Here is my explanation for the bug:
Unicode characters are not escaped server-side, but they appear to be escaped client side which can be bypassed. This can be shown by trying to upload a file with a unicode character and seeing the βΓβ character before it. For example: βΒ±myfile.pngβ would become βΓΒ±myfile.pngβ - this was tested with tamperdata by watching the image field.
In wordpress\wp-admin\includes\file.php there is a function called β_wp_handle_uploadβ Ideally, this is where special characters should be escaped or dealt with. That functon calls βwp_unique_filenameβ which then calls βsanitize_file_nameβ which the return value is a number instead of a filename.
If a file with a valid file extension is given such as βmyfile.pngβ intended behavior is that it will save the file. If it is given twice, then it will be named myfile-1.png and so on. However, because a special character can make a return value of 0 from the unique_filename function, it will result in β-1β being the file name. If another file is uploaded it will be called β-2β if it is in the same year and month folder. For example: βwordpress\wp-content\uploads\2016\10β if there is already a β-1β file there and a month passes -1 would go in the next folder. βwordpress\wp-content\uploads\2016\11β
Apache normally prevents javascript execution from images, however a filename such as β-1β will render text which can execute javascript.
The best mitigation would be to check for special characters in the _wp_handle_upload function.
(Iβm new to writing hackerone reports, hopefully this is clear enough.)