mailing list archives
Strictly social XSS vulnerability in WordPress
From: "MustLive" <mustlive () websecurity com ua>
Date: Sun, 6 Nov 2011 19:40:06 +0200
I want to warn you about Cross-Site Scripting vulnerability in WordPress.
Which I've found already at 15.10.2008 and to which all versions of
WordPress are vulnerable.
SecurityVulns ID: 12022.
There is Cross-Site Scripting vulnerability in WordPress, in this case
Strictly social XSS (http://websecurity.com.ua/5476/). At that at once of
two types of this XSS class: Strictly social XSS persistent (link with
Strictly social XSS vulnerabilities (as all other examples of holes in
browsers, web applications and web sites mentioned in my article).
Vulnerable are all versions of WordPress - WP 3.2.1 and previous versions.
I've tested in different 2.0.x versions, including 2.0.11, and in 3.1.1.
In comment field (parameter comment):
The attack will work only if admin has published a comment, but not non-auth
user. For this it's possible to use CSRF vulnerability in WordPress <=
2.1.2 (http://securityvulns.ru/Qdocument260.html). In the description of
this vulnerability ciri wrote about persistent XSS (which worked with CSRF),
but I was talking about Strictly social XSS. In new versions of WP, where
there is a protection against CSRF, it's possible to use reflected XSS hole
(or to use other techniques developed by me) for bypassing of this
protection and publishing of the comment with attacking code.
The developers had already fixed CSRF in WordPress 2.0.10 and 2.1.3, but
possibility of conducting Strictly social XSS (via anchor tag) still left
even in the last version of WP. The developers decided to not remove this
admin functionality, for complete fixing of XSS, limiting themselves to
fixing CSRF. So as above-mentioned persistent XSS, as Strictly social XSS
found by me, are still working.
I mentioned about this vulnerability at my site:
Best wishes & regards,
Administrator of Websecurity web site
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Strictly social XSS vulnerability in WordPress MustLive (Nov 06)