Document Title: =============== Wordpress v5.9 - Reflected Cross Site Web Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2316 Release Date: ============= 2022-02-09 Vulnerability Laboratory ID (VL-ID): ==================================== 2316 Common Vulnerability Scoring System: ==================================== 4.2 Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== WordPress (WP, WordPress.org) is a free and open-source content management system (CMS) written in PHP and paired with a MySQL or MariaDB database. Features include a plugin architecture and a template system, referred to within WordPress as Themes. WordPress was originally created as a blog-publishing system but has evolved to support other web content types including more traditional mailing lists and forums, media galleries, membership sites, learning management systems (LMS) and online stores. One of the most popular content management system solutions in use, WordPress is used by 42.8% of the top 10 million websites as of October 2021. (Copy of the Homepage: wikipedia.com) Abstract Advisory Information: ============================== An independent vulnerability researcher discovered a reflected cross site web vulnerability in the official Wordpress v5.9 framework. Affected Product(s): ==================== Wordpress.org Product: Wordpress v5.9 - Blog (PHP) (Web-Application) Vulnerability Disclosure Timeline: ================================== 2022-02-09: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Moderator Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ The reflected xss can be exploited when a user with the AUTHOR or CONTRIBUTOR role adds a javascript payload in the Post's Excerpt function, whenever a user wants to use the Add Block function in their post or page, the xss will be executed. Also the post and page editor allows executing the xss payload directly just by copying and pasting the malicious javascript. Proof of Concept (PoC): ======================= The non-persistent cross site scripting web vulnerability can be exploited by remote attackers with contributor or author user account (authenticated) and with low user interaction. For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue. Note: Cross-Site Scripting will be executed, since in all the sections where the editor and search engine of the add block function can be used as well as in the post and page section of the editor with the copy and paste function. POC1:The malicious Excerpt will be executed in the post and page sections at the moment you want to use the add new block function and typing some name in the search engine of the add block function reflecting it in all the wordpress editor sections. 1.) Login whit user author or contributor 2.) Add new post 3.) Add Block Post Excerpt 4.) Add malicious code in the Extract function () 5.) Replicated POC2 IN BLOCK FUCTION 1.) Login whit user author 2.) Add new post 3.) Publish Post 4.) Add malicious code in the Extract function () 5.) In the post editor add a new block 6.) Search for something in the block search engine7.) Replicated POC3: XSS IN POST & PAGE EDITOR 1.) Login whit user author or contributor 2.) Add new post 3.) Copy & Page () in editor4.) 4.) Replicated Firefox Payload: