Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Strictly social XSS vulnerability in WordPress
From: "MustLive" <mustlive () websecurity com ua>
Date: Sun, 6 Nov 2011 19:40:06 +0200

Hello list!

I want to warn you about Cross-Site Scripting vulnerability in WordPress.
Which I've found already at 15.10.2008 and to which all versions of
WordPress are vulnerable.

SecurityVulns ID: 12022.

There is Cross-Site Scripting vulnerability in WordPress, in this case
Strictly social XSS (http://websecurity.com.ua/5476/). At that at once of
two types of this XSS class: Strictly social XSS persistent (link with
JavaScript/VBScript) and Strictly social XSS persistent self-contained (link
with data with JavaScript). This is good example of these two types of
Strictly social XSS vulnerabilities (as all other examples of holes in
browsers, web applications and web sites mentioned in my article).

Affected products:

Vulnerable are all versions of WordPress - WP 3.2.1 and previous versions.
I've tested in different 2.0.x versions, including 2.0.11, and in 3.1.1.


XSS (WASC-08):

In comment field (parameter comment):

<a href="javascript:alert(document.cookie)">test</a>
<a href="vbscript:MsgBox(document.cookie)">test</a>

The attack will work only if admin has published a comment, but not non-auth
user. For this it's possible to use CSRF vulnerability  in WordPress <=
2.1.2 (http://securityvulns.ru/Qdocument260.html). In the description of
this vulnerability ciri wrote about persistent XSS (which worked with CSRF),
but I was talking about Strictly social XSS. In new versions of WP, where
there is a protection against CSRF, it's possible to use reflected XSS hole
(or to use other techniques developed by me) for bypassing of this
protection and publishing of the comment with attacking code.

The developers had already fixed CSRF in WordPress 2.0.10 and 2.1.3, but
possibility of conducting Strictly social XSS (via anchor tag) still left
even in the last version of WP. The developers decided to not remove this
admin functionality, for complete fixing of XSS, limiting themselves to
fixing CSRF. So as above-mentioned persistent XSS, as Strictly social XSS
found by me, are still working.

I mentioned about this vulnerability at my site:

Best wishes & regards,
Administrator of Websecurity web site

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Strictly social XSS vulnerability in WordPress MustLive (Nov 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]