WordPress Vulnerabilities

WP < 6.5.2 - Unauthenticated Stored XSS

Description

WordPress does not escape the Author name of its Avatar block when some settings are enabled, leading to Stored Cross-Site Scripting. In a default setup, contributor and above users could perform such attack. However, if the blog is using the mentioned settings in the comment template, then unauthenticated users could exploit this.

Proof of Concept

Default setup:

As a contributor, edit your profile and put the following payload as First Name: " autofocus onfocus=alert`XSS`//, then select the display name with the payload in it and save.

Create/edit a post, add an Avatar block, enable "Link to user profile" and "Open in new tab" in the block settings. Or add the following code in a post while in Code Editor mode: <!-- wp:avatar {"isLink":true,"linkTarget":"_blank"} /-->

The XSS will be triggered when any user will (pre)view the post

---------

Worse setup ("Link to user profile" and "Open in new tab" enabled in the Avatar block settings in the comment template, which can be done by opening /wp-admin/site-editor.php?postType=wp_template&postId=twentytwentyfour%2F%2Fsingle, select one of the Avatar block in the comment and enable the settings)

Simply add a comment as unauthenticated with the following payload in the Name: " autofocus onfocus=alert`XSS`//, and put a dummy Website URL(required for the attack to work)

Affects WordPress

6.5
Fixed in WordPress 6.5.2
6.4.3
Fixed in WordPress 6.4.4
6.4.2
Fixed in WordPress 6.4.4
6.4.1
Fixed in WordPress 6.4.4
6.4
Fixed in WordPress 6.4.4
6.3.3
Fixed in WordPress 6.3.4
6.3.2
Fixed in WordPress 6.3.4
6.3.1
Fixed in WordPress 6.3.4
6.3
Fixed in WordPress 6.3.4
6.2.4
Fixed in WordPress 6.2.5
6.2.3
Fixed in WordPress 6.2.5
6.2.2
Fixed in WordPress 6.2.5
6.2.1
Fixed in WordPress 6.2.5
6.2
Fixed in WordPress 6.2.5
6.1.5
Fixed in WordPress 6.1.6
6.1.4
Fixed in WordPress 6.1.6
6.1.3
Fixed in WordPress 6.1.6
6.1.2
Fixed in WordPress 6.1.6
6.1.1
Fixed in WordPress 6.1.6
6.1
Fixed in WordPress 6.1.6
6.0.7
Fixed in WordPress 6.0.8
6.0.6
Fixed in WordPress 6.0.8
6.0.5
Fixed in WordPress 6.0.8
6.0.4
Fixed in WordPress 6.0.8
6.0.3
Fixed in WordPress 6.0.8
6.0.2
Fixed in WordPress 6.0.8
6.0.1
Fixed in WordPress 6.0.8
6.0
Fixed in WordPress 6.0.8

References

URL
https://wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
John Blackbourn, Mat Rollings
Verified
Yes
WPVDB ID
1a5c5df1-57ee-4190-a336-b0266962078f

Timeline

Publicly Published
2024-04-09 (about 1 months ago)
Added
2024-04-10 (about 1 months ago)
Last Updated
2024-04-11 (about 1 months ago)

Other

Published
Title
Published
2022-06-06
Title
NextCellent Gallery <= 1.9.35 - Admin+ Stored XSS
Published
2021-12-14
Title
.htaccess Redirect <= 0.3.1 - Reflected Cross-Site Scripting
Published
2024-05-02
Title
Pet Manager <= 1.4 - Reflected XSS
Published
2023-09-15
Title
Horizontal scrolling announcement for WordPress <= 9.2 Contributor+ Stored XSS
Published
2023-09-12
Title
Funnelforms Free < 3.4 Unauthenticated Stored Cross-Site Scripting