WordPress: Stored self-XSS in mercantile.wordpress.org checkout

ID H1:230232
Type hackerone
Reporter eidelweiss
Modified 2017-07-14T06:49:11


Hello Team,

Summary after i read this #221893 report, i try to find more security issue there, and i was surprise i found an RCE Via Template Injection. Since on that report i see ng-bindable word, its possible the site also effect by RCE.

Step To Reproduce

  1. open https://mercantile.wordpress.org and sign up for account.
  2. after finish sign up navigate to https://mercantile.wordpress.org/my-account/edit-account/ to field your first and last name
  3. now navigate again to https://mercantile.wordpress.org/my-account/edit-address/
  4. field all form for Billing Address with {{1+1}} except the zip code and field all form with {{1==1}} for the Shipping Address. and press save.


  1. now try to make an order by select any product till process or step to https://mercantile.wordpress.org/checkout/
  2. there you will see, the code {{1+1}} that we have field in the form for address bellow is execute as 2 automaticly there. and the {{1==1}} in shipping address will be execute as true .


This is a vulnerability about Flask Template Engine(Jinja2) Injection or Angular JS Template Injection , more detail can be seen in these blogs for your Reference:

  1. https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2/
  2. https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/
  3. http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html

Best Regards,