[wp-trac] [WordPress Trac] #53973: WordPress <= 5.8 - Authenticated Persistent XSS (User role name)

WordPress Trac noreply at wordpress.org
Tue Aug 24 15:24:09 UTC 2021 

#53973: WordPress <= 5.8 - Authenticated Persistent XSS (User role name)
--------------------------+------------------------------
 Reporter:  visse         |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Security      |     Version:  trunk
 Severity:  normal        |  Resolution:
 Keywords:  close         |     Focuses:  administration
--------------------------+------------------------------

Comment (by visse):

 Heya @TobiasBg,

 >It looks like this requires PHP code access in the first place, correct?
 Not really. This, of course, is the easiest and fastest way to show what I
 am talking about, but a similar result can be achieved when interacting
 with 3rd-party plugins which is working with user roles in any way, as I
 already mentioned about in this ticket:
 >Important to note that the functionality of adding custom roles is
 available in many plugins and themes, some of which aren't properly
 protected from CSRF attacks. Given this vulnerability, such attack vectors
 can be combined to successfully compromise a website.

 >If an attacker has that, the site must be considered compromised anyways.
 True, but:
 > This vulnerability could be used to infect a website with malicious code
 or to keep a backdoor for future exploitations.
 I mean exactly this part:
 >to keep a backdoor for future exploitations

 If we consider the scenario of an attack against a website through a 3rd-
 party plugin with a CSRF vulnerability, then this will be a completely
 different situation with bad consequences. For example of such scenario I
 mentioned the uListing plugin in this ticket.
 >And even sanitizing everything everywhere (esc_attr() and so on) won't
 help as e.g. post content can not be protected like that.
 Yep, but you can't really "hide" payloads in any post or page, basically
 because such actions are predictable and expected, and not everyone will
 think about checking user roles for some kind of malicious code and so on.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/53973#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list