WordPress 4.5.3 Audio Playlist Cross Site Scripting

`------------------------------------------------------------------------  
WordPress audio playlist functionality is affected by Cross-Site  
Scripting  
------------------------------------------------------------------------  
Yorick Koster, July 2016  
  
------------------------------------------------------------------------  
Abstract  
------------------------------------------------------------------------  
Two Cross-Site Scripting vulnerabilities exists in the playlist  
functionality of WordPress. These issues can be exploited by convincing  
an Editor or Administrator into uploading a malicious MP3 file. Once  
uploaded the issues can be triggered by a Contributor or higher using  
the playlist shortcode.  
  
------------------------------------------------------------------------  
OVE ID  
------------------------------------------------------------------------  
OVE-20160717-0003  
  
------------------------------------------------------------------------  
Tested versions  
------------------------------------------------------------------------  
This issue was successfully tested on the WordPress version 4.5.3.  
  
------------------------------------------------------------------------  
Fix  
------------------------------------------------------------------------  
These issues are resolved in WordPress version 4.7.3.  
  
------------------------------------------------------------------------  
Details  
------------------------------------------------------------------------  
https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html  
  
It was discovered that meta information (ID3) stored in audio files are not properly sanitized in case they are uploaded by a user with the unfiltered_html (generally an Editor or Administrator).  
  
The first Cross-Site Scripting vulnerability exists in the function that processes the playlist shortcode, which is done in the wp_playlist_shortcode() method (/wp-includes/media.php). This method creates a <noscript> block for users with JavaScript disabled.  
  
  
The method wp_get_attachment_link() does not perform any output encoding on the link text. Meta information from the audio file is used in the link text, rendering wp_playlist_shortcode() vulnerable to Cross-Site Scripting.  
  
The second Cross-Site Scripting issue is DOM-based and exists in the JavaScript file /wp-includes/js/mediaelement/wp-playlist.js (or /wp-includes/js/mediaelement/wp-playlist.min.js). The WPPlaylistView object is used to render a audio player client side. The method renderTracks() uses the meta information from the audio file in a call to jQuery's append() method. No output encoding is used on the meta information, resulting in a Cross-Site Scripting vulnerability.  
  
  
Proof of concept  
  
The following MP3 file can be used to reproduce this issue:  
  
https://securify.nl/advisory/SFY20160742/xss.mp3  
  
1) upload MP3 file to the Media Library (as Editor or Administrator).  
2) Insert an Audio Playlist in a Post containing this MP3 (Create Audio Playlist).  
  
------------------------------------------------------------------------  
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its  
goal is to contribute to the security of popular, widely used OSS  
projects in a fun and educational way.  
  
`