[wp-trac] [WordPress Trac] #53973: WordPress <= 5.8 - Authenticated Persistent XSS (User role name)
WordPress Trac
noreply at wordpress.org
Tue Aug 24 15:24:09 UTC 2021
#53973: WordPress <= 5.8 - Authenticated Persistent XSS (User role name)
--------------------------+------------------------------
Reporter: visse | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: trunk
Severity: normal | Resolution:
Keywords: close | Focuses: administration
--------------------------+------------------------------
Comment (by visse):
Heya @TobiasBg,
>It looks like this requires PHP code access in the first place, correct?
Not really. This, of course, is the easiest and fastest way to show what I
am talking about, but a similar result can be achieved when interacting
with 3rd-party plugins which is working with user roles in any way, as I
already mentioned about in this ticket:
>Important to note that the functionality of adding custom roles is
available in many plugins and themes, some of which aren't properly
protected from CSRF attacks. Given this vulnerability, such attack vectors
can be combined to successfully compromise a website.
>If an attacker has that, the site must be considered compromised anyways.
True, but:
> This vulnerability could be used to infect a website with malicious code
or to keep a backdoor for future exploitations.
I mean exactly this part:
>to keep a backdoor for future exploitations
If we consider the scenario of an attack against a website through a 3rd-
party plugin with a CSRF vulnerability, then this will be a completely
different situation with bad consequences. For example of such scenario I
mentioned the uListing plugin in this ticket.
>And even sanitizing everything everywhere (esc_attr() and so on) won't
help as e.g. post content can not be protected like that.
Yep, but you can't really "hide" payloads in any post or page, basically
because such actions are predictable and expected, and not everyone will
think about checking user roles for some kind of malicious code and so on.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53973#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list