WordPress Vulnerabilities
WP < 6.5.2 - Unauthenticated Stored XSS
Description
WordPress does not escape the Author name of its Avatar block when some settings are enabled, leading to Stored Cross-Site Scripting. In a default setup, contributor and above users could perform such attack. However, if the blog is using the mentioned settings in the comment template, then unauthenticated users could exploit this.
Proof of Concept
Default setup: As a contributor, edit your profile and put the following payload as First Name: " autofocus onfocus=alert`XSS`//, then select the display name with the payload in it and save. Create/edit a post, add an Avatar block, enable "Link to user profile" and "Open in new tab" in the block settings. Or add the following code in a post while in Code Editor mode: <!-- wp:avatar {"isLink":true,"linkTarget":"_blank"} /--> The XSS will be triggered when any user will (pre)view the post --------- Worse setup ("Link to user profile" and "Open in new tab" enabled in the Avatar block settings in the comment template, which can be done by opening /wp-admin/site-editor.php?postType=wp_template&postId=twentytwentyfour%2F%2Fsingle, select one of the Avatar block in the comment and enable the settings) Simply add a comment as unauthenticated with the following payload in the Name: " autofocus onfocus=alert`XSS`//, and put a dummy Website URL(required for the attack to work)
Affects WordPress
Fixed in WordPress 6.5.2
Fixed in WordPress 6.4.4
Fixed in WordPress 6.4.4
Fixed in WordPress 6.4.4
Fixed in WordPress 6.4.4
Fixed in WordPress 6.3.4
Fixed in WordPress 6.3.4
Fixed in WordPress 6.3.4
Fixed in WordPress 6.3.4
Fixed in WordPress 6.2.5
Fixed in WordPress 6.2.5
Fixed in WordPress 6.2.5
Fixed in WordPress 6.2.5
Fixed in WordPress 6.2.5
Fixed in WordPress 6.1.6
Fixed in WordPress 6.1.6
Fixed in WordPress 6.1.6
Fixed in WordPress 6.1.6
Fixed in WordPress 6.1.6
Fixed in WordPress 6.1.6
Fixed in WordPress 6.0.8
Fixed in WordPress 6.0.8
Fixed in WordPress 6.0.8
Fixed in WordPress 6.0.8
Fixed in WordPress 6.0.8
Fixed in WordPress 6.0.8
Fixed in WordPress 6.0.8
Fixed in WordPress 6.0.8
References
Classification
Type
XSS
OWASP top 10
CWE
Miscellaneous
Original Researcher
John Blackbourn, Mat Rollings
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2024-04-09 (about 1 months ago)
Added
2024-04-10 (about 1 months ago)
Last Updated
2024-04-11 (about 1 months ago)