Wordpress core 5.2.2 post previews xss Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2021-01-04 |
Type : webapps |
Platform : php
This exploit / vulnerability Wordpress core 5.2.2 post previews xss is for educational purposes only and if it is used you will do on your own risk!
Description:
WordPress before 5.2.3 allows XSS in post previews by authenticated users.
Technical Details and Exploitation:
The vulnerability is due to two condition:
1. wp_kses_bad_protocol_once() has an issue with URL sanitization that can be passed and can lead to cross-site scripting vulnerability:
the function sanitizes bad protocols, and applies a convertion of HTML entities to avoid bypass techniques; anyway, in vulnerable versions, it only checks for html entities after two points, as it is possible to
observe by the applied fix:
============================================================================================================================================
This allows an attacker to inject attack strings such as:
============================================================================================================================================
<a href="javascript:alert(document.domain)">Example Attack</a>
============================================================================================================================================
Anyway, Wordpress protects against this attack because it converts any type of html entities during the rendering of posts. In a particular case, during preview, it is possible to inject html entities in a URL. That is the second condition.
2. During preview, get_the_content() function in post-template.php replaces URL encoded characters with a corresponding HTML entity:
============================================================================================================================================
For this reason, it is possible to send URL encoded strings that will be converted in HTML entities during preview. HTML entities can be crafted to bypass wp_ses_bad_protocol_once() function due to issue described in condition 1.
Proof Of Concept:
1. Create a new post
2. Insert in code editor the following HTML PoC code: