WordPress.org

Make WordPress Core

Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#21917 closed defect (bug) (invalid)

Wordpress 3.4.2 - Multiple XSS Vulnerability

Reported by: nuxbie Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.4.2
Component: General Keywords:
Focuses: Cc:

Description

[ Wordpress 3.4.2 - Multiple XSS Vulnerability ]

Hello, my name is Catur Febrian (nuxbie).
I have bugs at new webapps wordpress (last version).
This bugs is XSS (Cross Site Scripting).
Wordpress 3.4.2 have a multiple vuln.

  1. XSS WP-Post.
  2. XSS WP-Page.
  3. XSS WP-MediaLibrary.

Please, read my exploit report... :-)

Exploit Title: CMS Wordpress - Multiple XSS Vulnerability
Author : TheCyberNuxbie [ Catur Febrian ]
E-mail : root@…
Version CMS : Version 3.4.2 (Last Version)
Category : WebApps / Content Management System (CMS)
Security Risk: Medium Level
Link Downlaod: http://www.wordpress.org/
Tested On : Mozilla Firefox + Xampp + Windows 7 x32 ID

[ Information Content ]
WordPress - Web Publishing Software.
http://www.wordpress.org/

[ Vulnerability Details ]

  1. XSS WP-Post.
  2. XSS WP-Page.
  3. XSS WP-MediaLibrary.

[ XSS CODE ]
<script>alert('31337');</script>
<script>alert(document.cookie);</script>
<script>window.open("http://www.google.com/")</script>

  • Exploit Report:
  1. Create / Edit WP-Post:

Input "Title Post" with Script XSS.
<script>alert('31337');</script>
http://wordpress/wp-admin/post-new.php <--- Publish.
View XSS: http://wordpress/?p=xxx <--- XSSed.
PIC: http://31337sec.com/wordpress/xss-post1.jpg + http://31337sec.com/wordpress/xss-post2.jpg

  1. Create / Edit WP-Page:

Input "Title Page" with Script XSS.
<script>alert('31337');</script>
http://wordpress/wp-admin/post-new.php?post_type=page <--- Publish.
View XSS: http://wordpress/?page_id=xxx <--- XSSed.
PIC: http://31337sec.com/wordpress/xss-page1.jpg + http://31337sec.com/wordpress/xss-page2.jpg

  1. Add / Edit WP-Media Library:

Upload files via Media Library.
http://wordpress/wp-admin/media-new.php <--- Select File.
Upload Files, Save...!!!
Input Form "Title", "Caption", "Description" with Script XSS <--- Save All Changes.
View XSS: http://wordpress/?attachment_id=xxx <--- XSSed.
PIC: http://31337sec.com/wordpress/xss-media1.jpg + http://31337sec.com/wordpress/xss-media2.jpg + http://31337sec.com/wordpress/xss-media3.jpg

  • Script XSS will be affacted:
  1. Frontend Website (post).

http://wordpress/?p=xxx <--- XSSed.

  1. Frontend Website (page).

http://wordpress/?page_id=xxx <--- XSSed.

  1. Frontend Website (attachment).

http://wordpress/?attachment_id=xxx <--- XSSed.

Thanks...
TheCyberNuxbie

Attachments (1)

Wordpress XSS Vuln.txt (2.3 KB) - added by nuxbie 9 years ago.

Download all attachments as: .zip

Change History (3)

@nuxbie
9 years ago

#1 @nacin
9 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Please do not report "security issues" publicly. http://codex.wordpress.org/Security_FAQ#Where_do_I_report_security_issues.3F

Also , this isn't a security issue. http://codex.wordpress.org/Security_FAQ#Why_are_some_users_allowed_to_post_unfiltered_HTML.3F

If you posted this publicly anywhere else (exploit sites, disclosure mailing lists) please rescind it as invalid.

We encourage responsible, private disclosure of security issues in part so invalid reports do not spread.

#2 @johnbillion
9 years ago

Evidently we really do need to put the "Do not report potential security vulnerabilities here" message on the New Ticket screen in big bright red flashing text.

Note: See TracTickets for help on using tickets.