The recently patched WordPress REST API Endpoint vulnerability is the gift that keeps on giving.
Already responsible for more than one million website defacements and attempts to monetize some of those attacks, the flaw also opens the door to a separate attack.
Researchers at Sucuri who found the original bug on Monday disclosed details on how it could be leveraged to pull off a stored cross-site scripting attack.
The stored XSS bug was patched last week in the WordPress core when the version 4.7.3 security update was released. Marc Montpas, a researcher at Sucuri, said that an attacker who defaced a website using an exploit for the REST API Endpoint vulnerability could also have stored malicious JavaScript on the site that could be triggered later.
“Combined with the recent content injection vulnerability we found, it’s possible for a remote attacker to deface a random post on the site and store malicious Javascript code in it,” Montpas wrote in the disclosure published yesterday. “This code would be executed when a visitors view the post and when anyone edits the post from the WordPress dashboard. As a result, an administrator tries to fix the defaced post, the would unknowingly trigger the malicious script, which could then be used to put a backdoor on the site and create new admin users.”
The issue was not patched until the 4.7.3 release because it cannot be exploited without the original content injection bug in the REST API being present and without the attacker possessing contributor privileges on WordPress.
Montpas explained that during research on the REST API vulnerability, he discovered how the embed shortcode feature in WordPress could overcome some hurdles put in place by the wp_kses() function, which limits the HTML tags someone could insert into a post. Specifically, Montpas said the youtube_embed_url function was particularly useful in setting up a scenario where an attacker could drop a stored XSS attack that would execute later.
“When an administrator visits the affected post, the XSS payload will execute and may force his browser to perform administrative actions on his behalf, like storing backdoors on the site and creating new administrator accounts,” Montpas told Threatpost last week. “This vulnerability alone isn’t very risky, because it requires the attacker to have very specific privileges on the site. But combined with the REST API vulnerability we found last month, which basically allowed any visitor to edit a site’s posts, it could have caused quite a mayhem.”
The REST API vulnerability allows an attacker with one line of exploit code to access the API and change site content and URL permalinks. The issue lies in the way the REST API manages access. It does so by favoring values such as GET and POST rather than existing values. Any request with letters in its ID would bypass a permission check and essentially grant an attacker admin privileges.
The researchers recommend again that WordPress admins not disable automatic updates, and ensure that the 4.7.2 and 4.7.3 updates are installed.