[wp-trac] [WordPress Trac] #53973: WordPress <= 5.8 - Authenticated Persistent XSS (User role name)
WordPress Trac
noreply at wordpress.org
Tue Aug 24 20:47:40 UTC 2021
#53973: WordPress <= 5.8 - Authenticated Persistent XSS (User role name)
--------------------------+------------------------------
Reporter: visse | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: trunk
Severity: normal | Resolution:
Keywords: dev-feedback | Focuses: administration
--------------------------+------------------------------
Changes (by TobiasBg):
* keywords: close => dev-feedback
Comment:
Thanks for the further explanations!
If this can be exploited in other plugins (without needing PHP code access
on a site), that is a vulnerability in those plugins and should be
reported to the plugin developers and the WordPress Plugins team via email
(which probably happened for the uListing plugin that you mentioned, as I
can see that it received security fixes in its latest releases).
I guess it can't hurt to add some hardening in WordPress Core though. As
the User Role name should never contain HTML code, output escaping (via
`esc_html()` for example) in all places where the role name is printed is
probably the best option here. Not only would it counter all possible ways
of how the malicious HTML could be added to the database, it would also
help uncover that such code exists. So essentially, even though the user
role name is coming from the database, it would be considered as
"untrusted".
Most likely there are more APIs where data is added to the database via
PHP calls and later printed somewhere, so this might have to be part of a
broader investigation.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53973#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list