Wordpress thisXSSis actually very easy to use, anonymous users can post and trigger, this gives a simple analysis of the stability of the trigger of the POC.
In fact, the vulnerability of the author in the articlexss-vulnerability-4-1-2/" data-ke-src="https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/" target="_blank">https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/in the description, but the article gives the Payload don't know why in my test wp can not be triggered.
This vulnerability of the principle is interesting, by MYSQL a characteristic of the lead, when we will be a 4-byte UTF8 characters into mysql, mysql will see it as utf8mb4 encoding, when the utf8mb4 encoding of characters inserted into a UTF8 encoding of the column, in non-strict mode it will cause a truncation.
Truncated, then it can bypass a lot of rich text filter. For example, the insertion of two reviews of the“<img src=1”, and“onerror=alert(1)//”, which both do not trigger some of the rich text filters, because the former does not contain the white list outside of the property, which is not one label, but two comments if present on the same page, it will splice into a complete HTML tag, and trigger the onerror event.
While wordpress is not suitable for the above method, but researchers soon found a new method. After truncation, wordpress will use single quotation marks converted to“, so if we submit the comments is this:
| 1 | sometext ---|---
2 | <blockquote cite='x onmouseover=alert(1) 𝌆'> ---|---