Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress 4.2 Cross Site Scripting

🗓️ 27 Apr 2015 00:00:00Reported by Jouko PynnonenType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 35 Views

WordPress 4.2 stored XSS allows admin code executio

Code
`*Overview*  
Current versions of WordPress are vulnerable to a stored XSS. An  
unauthenticated attacker can inject JavaScript in WordPress comments. The  
script is triggered when the comment is viewed.  
  
If triggered by a logged-in administrator, under default settings the  
attacker can leverage the vulnerability to execute arbitrary code on the  
server via the plugin and theme editors.  
  
Alternatively the attacker could change the administrator’s password,  
create new administrator accounts, or do whatever else the currently  
logged-in administrator can do on the target system.  
  
  
  
  
*Details*  
If the comment text is long enough, it will be truncated when inserted in  
the database. The MySQL TEXT type size limit is 64 kilobytes so the comment  
has to be quite long.  
  
The truncation results in malformed HTML generated on the page. The  
attacker can supply any attributes in the allowed HTML tags, in the same  
way as the previous stored XSS vulnerabilities affecting WordPress.  
  
The vulnerability bears a similarity to the one reported by Cedric Van  
Bockhaven in 2014 (patched this week, after 14 months). Instead of using an  
invalid UTF-8 character to truncate the comment, this time an excessively  
long comment text is used for the same effect.  
  
In these two cases the injected JavaScript apparently can't be triggered in  
the administrative Dashboard, so these exploits require getting around  
comment moderation e.g. by posting one harmless comment first.  
  
  
  
  
*Proof of Concept*  
Enter the following as a comment:  
  
<a title='x onmouseover=alert(unescape(/hello%20world/.source))  
style=position:absolute;left:0;top:0;width:5000px;height:5000px  
AAAAAAAAAAAA [64 kb] ...'></a>  
  
  
This was tested on WordPress 4.2, 4.1.2, and 4.1.1, MySQL versions 5.1.53  
and 5.5.41.  
  
  
  
  
*Solution*  
Disable comments (Dashboard, Settings/Discussion, select as restrictive  
options as possible). Do not approve any comments.  
  
  
  
  
*Credits*  
The vulnerability was discovered by Jouko Pynnönen of Klikki Oy.  
  
An up-to-date version of this document: http://klikki.fi/adv/wordpress2.html  
  
  
  
--   
Jouko Pynnönen <[email protected]>  
Klikki Oy - http://klikki.fi - @klikkioy  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Apr 2015 00:00Current
7.4High risk
Vulners AI Score7.4
wordpresscross site scriptingstored xssadmincode executioncomment truncationhtml attributesproof of conceptdisable commentsklikki oy
35