WordPress.org

Make WordPress Core

Opened 2 months ago

Closed 2 months ago

#47907 closed defect (bug) (invalid)

Stored XSS

Reported by: rohit001 Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.2.2
Component: General Keywords:
Focuses: ui, administration Cc:
PR Number:

Description

Greetings,

XSS (Cross-Site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.

XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application.

Steps To Reproduce :

Step-1: Login in WordPress 5.2.2
Step-2: Create a Pages Or Add a new page. published it and then Comment. in comment

section i entered my Script i.e <script>alert("You are Hacked")</script>

Step-3: After submit refresh the page
Step-4: And pop-up will Occurred. Affect on URL

http://localhost/wordpress/2019/08/21/test/#comment-3.

Impact:

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page

Recommendation:

  1. White list parameter values i.e. accept only the known good.
  2. Encode HTML output
  3. Encode URL output
  4. Enable ASP.NET request validation property
  5. Anti XSS Library

if( Request.QueryString[0]!=null)
{
string searchkeyword = Request.QueryString[0];
lblmsg.Text = "Search results for keyword : " + Encoder.HtmlEncode(searchkeyword);
}

Attachments (3)

Stored XSS.PNG (46.9 KB) - added by rohit001 2 months ago.
Stored XSS
Store XSS'.PNG (57.3 KB) - added by rohit001 2 months ago.
Stored XSS
stored XSS 1.PNG (45.6 KB) - added by rohit001 2 months ago.
Stored XSS

Download all attachments as: .zip

Change History (5)

@rohit001
2 months ago

Stored XSS

@rohit001
2 months ago

Stored XSS

@rohit001
2 months ago

Stored XSS

#1 @williampatton
2 months ago

Hey @rohit001,

Were you still logged in when you commented? Admin level users have the capability to post contents with unfiltered html code in them but other users have filters applied to their submissions to escape and/or strip things that shouldn't be there to mitigate these XSS possibilities.

Could you try it while logged out as well and see if there is any change?

#2 @swissspidy
2 months ago

  • Keywords close removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Severity changed from major to normal
  • Status changed from new to closed

Hi @rohit001

When creating this ticket you were shown a warning that you should not report potential security vulnerabilities here.

Instead, you should see the Security FAQ and visit the WordPress HackerOne program.

In both places you would have learned that users with administrator or editor privileges can post arbitrary JavaScript, and that this is totally expected. From your screenshots it's clear that you're still logged in.

If you think you have found a real security vulnerability, please head over to HackerOne, and do not post it here.

Thanks for your cooperation.

Note: See TracTickets for help on using tickets.