WordPress 5.9 Cross Site Scripting

`Document Title:  
===============  
Wordpress <= 5.9 Cross-Site Scripting Reflected (Authenticated)  
  
  
Credits & Authors:  
==================  
Taurus Omar [[email protected]]  
  
  
Disclosure Type:  
================  
Independent Security Research  
  
  
Release Date:  
=============  
2022-31-01  
  
  
Vulnerability Disclosure Timeline:  
==================================  
2022-05-02: Public Disclosure  
  
  
Vulnerability CVE  
===================  
Pending (CVE-xxxxx)  
  
  
Vulnerability Class:  
====================  
Cross Site Scripting - Reflected  
  
  
Product & Service Introduction:  
===============================  
WordPress (WP, WordPress.org) is a free and open-source content  
management system (CMS) written in PHP[4] and paired with a MySQL or  
MariaDB database. Features include a plugin architecture and a template  
system, referred to within WordPress as Themes. WordPress was  
originally  
created as a blog-publishing system but has evolved to support other  
web  
content types including more traditional mailing lists and forums,  
media  
galleries, membership sites, learning management systems (LMS) and  
online  
stores. One of the most popular content management system solutions in  
use,  
WordPress is used by 42.8% of the top 10 million websites as of October  
2021.  
  
  
Vendor HomePage  
===============================  
https://wordpress.org/download/  
  
  
Abstract Advisory Information:  
==============================  
An independent vulnerability researcher discovered a reflected cross  
site web vulnerability in wordpress framwork.  
  
  
Affected Product(s):  
====================  
All wordpress version <= 5.9  
  
  
Discovery Status:  
=================  
Published  
  
  
Exploitation Technique:  
=======================  
Local  
  
  
Severity Level:  
===============  
Medium  
  
  
Proof of Concept (PoC):  
=======================  
Reflected XSS is done when a user with the AUTHOR or CONTRIBUTOR role  
adds a javascript payload in the Post's Excerpt function, whenever a  
user wants to use the Add Block function in their post or page, the XSS  
will be executed. Also the post and page editor allows executing the xss payload  
directly just by copying and pasting the malicious javascript.  
  
## POC1:The malicious Excerpt will be executed in the post and page  
sections at the moment you want to use the add new block function and  
typing some name in the search engine of the add block function  
reflecting it in all the wordpress editor sections.  
  
1.) Login whit user author or contributor  
2.) Add new post  
3.) Add Block Post Excerpt  
4.) Add malicious code in the Extract function (<object data="javascript:alert(0)">)  
5.) Replicated  
  
## POC2 IN BLOCK FUCTION  
1.) Login whit user author  
2.) Add new post  
3.) Publish Post  
4.) Add malicious code in the Extract function (<object data="javascript:alert(0)">)  
5.) In the post editor add a new block  
6.) Search for something in the block search engine7.) Replicated  
  
## POC3: XSS IN POST & PAGE EDITOR  
1.) Login whit user author or contributor  
2.) Add new post  
3.) Copy & Page (<object data="javascript:alert(0)">) in editor4.)  
4.) Replicated  
  
  
## Firefox Payload:  
<object data="javascript:alert('xss')">  
<object data=/ onload=alert(1)>  
<iframe src="javascript:alert(1)">  
  
## Chrome Payload:  
<form><button formaction=javascript:alert(1)>XSS  
<iframe src="javascript:alert(1)">  
<form action=javascript:alert(1)><input type=submit value=XSS>  
  
## Poc Image:  
https://i.imgur.com/WiaEUEE.png  
https://i.imgur.com/voJptm0.png  
  
## Poc Video  
https://www.youtube.com/watch?v=UEgEMADeOC8  
  
  
Solution - Fix & Patch:  
=======================  
The vulnerability can be resolved by a encode and secure parse / escape  
of the inputs. In a second step the output location were the execute occurs needs  
to be sanitized.  
  
  
## Impact  
Cross-Site Scripting, XSS will be executed, since in all the sections  
where the editor and search engine of the add block function can be  
used as well as in the post and page section of the editor with the copy and  
paste function.  
  
  
#######  
#  
# Disclaimer:  
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.  
# The usual disclaimer applies, especially the fact that Taurus Omar is not liable for any damages  
# caused by direct or indirect use of the information or functionality provided by these programs.  
# The author or any Internet provider bears NO responsibility for content or misuse of these programs  
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,  
# system crash, system compromise, etc.) caused by the use of these programs are not Taurus Omar's  
# responsibility.  
#  
#######  
`