[wp-trac] [WordPress Trac] #58336: Potential XSS on admin_body_class hook

WordPress Trac noreply at wordpress.org
Wed May 17 04:42:14 UTC 2023


#58336: Potential XSS on admin_body_class hook
--------------------------+-----------------------------
 Reporter:  rafiem        |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 ## Description:

 We are from Patchstack want to report for a potential XSS
 on`admin_body_class` hook. The `admin_body_class` hook as stated on
 https://developer.wordpress.org/reference/hooks/admin_body_class/ could be
 used to filters the CSS classes for the body tag in the admin area. Plugin
 or theme developer able to use this hook to extend the main body class
 value with supplied string. This is the implementation of
 `admin_body_class` hook on the WordPress core
 (https://github.com/WordPress/wordpress-develop/blob/6.2/src/wp-admin
 /admin-header.php#L245) :

 {{{#!php
 <?php
 $admin_body_classes = apply_filters( 'admin_body_class', '' );
 $admin_body_classes = ltrim( $admin_body_classes . ' ' . $admin_body_class
 );
 ?>
 <body class="wp-admin wp-core-ui no-js <?php echo $admin_body_classes;
 ?>">
 <script type="text/javascript">
         document.body.className = document.body.className.replace('no-
 js','js');
 </script>
 }}}


 Unfortunately, there is no proper sanitization applied to the echoed
 $admin_body_classes variable on the WordPress core. This could lead to a
 potential XSS when the value returned from using the hook is not properly
 sanitized on the plugin or theme code side.

 Please note that we are not fully sure if this should be treated as
 vulnerability or it should fall only under the security code improvement.
 But we believe that the possible XSS could be fully prevented from
 WordPress core side if the implementation of the hook is properly
 sanitized.

 ## Steps To Reproduce:

 Create a plugin or theme that have this example PHP codes :

 {{{#!php
 <?php
 add_action( 'admin_body_class', 'added_body_class'  );

 public function added_body_class( $classes ) {
     $classes .= sanitize_text_field( $_GET['type'] );

     return $classes;
 }
 }}}


 The XSS then could be triggered by visiting the URL that trigger above
 code using this example payload :

 ```
 http://localhost/wp-admin?page=test&type=xxxxxxx"
 onload=alert(document.domain) xxx="
 ```

 We currently tried to research some of the plugin and theme that could be
 vulnerable from the `admin_body_class` implementation. So far, we are able
 to find the practical XSS on the Advanced Custom Fields plugin (Ref :
 https://patchstack.com/articles/reflected-xss-in-advanced-custom-fields-
 plugins-affecting-2-million-sites/)

 ## Recommendations

 The intended value of the HTML `class` parameter should only consist of
 specific whitelisted character to be valid. WordPress already have a
 function to sanitize html class value such as
 https://developer.wordpress.org/reference/functions/sanitize_html_class/ ,
 so we recommend to use the function on the implementation of
 `admin_body_class` hook

 ## Impact

 Potential XSS on the implementation of `admin_body_class` hook could lead
 to theft of information to a privilege escalation.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/58336>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list