[wp-trac] [WordPress Trac] #58336: Potential XSS on admin_body_class hook
WordPress Trac
noreply at wordpress.org
Wed May 17 04:42:14 UTC 2023
#58336: Potential XSS on admin_body_class hook
--------------------------+-----------------------------
Reporter: rafiem | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: trunk
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
## Description:
We are from Patchstack want to report for a potential XSS
on`admin_body_class` hook. The `admin_body_class` hook as stated on
https://developer.wordpress.org/reference/hooks/admin_body_class/ could be
used to filters the CSS classes for the body tag in the admin area. Plugin
or theme developer able to use this hook to extend the main body class
value with supplied string. This is the implementation of
`admin_body_class` hook on the WordPress core
(https://github.com/WordPress/wordpress-develop/blob/6.2/src/wp-admin
/admin-header.php#L245) :
{{{#!php
<?php
$admin_body_classes = apply_filters( 'admin_body_class', '' );
$admin_body_classes = ltrim( $admin_body_classes . ' ' . $admin_body_class
);
?>
<body class="wp-admin wp-core-ui no-js <?php echo $admin_body_classes;
?>">
<script type="text/javascript">
document.body.className = document.body.className.replace('no-
js','js');
</script>
}}}
Unfortunately, there is no proper sanitization applied to the echoed
$admin_body_classes variable on the WordPress core. This could lead to a
potential XSS when the value returned from using the hook is not properly
sanitized on the plugin or theme code side.
Please note that we are not fully sure if this should be treated as
vulnerability or it should fall only under the security code improvement.
But we believe that the possible XSS could be fully prevented from
WordPress core side if the implementation of the hook is properly
sanitized.
## Steps To Reproduce:
Create a plugin or theme that have this example PHP codes :
{{{#!php
<?php
add_action( 'admin_body_class', 'added_body_class' );
public function added_body_class( $classes ) {
$classes .= sanitize_text_field( $_GET['type'] );
return $classes;
}
}}}
The XSS then could be triggered by visiting the URL that trigger above
code using this example payload :
```
http://localhost/wp-admin?page=test&type=xxxxxxx"
onload=alert(document.domain) xxx="
```
We currently tried to research some of the plugin and theme that could be
vulnerable from the `admin_body_class` implementation. So far, we are able
to find the practical XSS on the Advanced Custom Fields plugin (Ref :
https://patchstack.com/articles/reflected-xss-in-advanced-custom-fields-
plugins-affecting-2-million-sites/)
## Recommendations
The intended value of the HTML `class` parameter should only consist of
specific whitelisted character to be valid. WordPress already have a
function to sanitize html class value such as
https://developer.wordpress.org/reference/functions/sanitize_html_class/ ,
so we recommend to use the function on the implementation of
`admin_body_class` hook
## Impact
Potential XSS on the implementation of `admin_body_class` hook could lead
to theft of information to a privilege escalation.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/58336>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list