The recently patched WordPress REST API Endpoint vulnerability is the gift that keeps on giving.
Already responsible for more than one million website defacements and attempts to monetize some of those attacks, the flaw also opens the door to a separate attack.
Researchers at Sucuri who found the original bug on Monday disclosed details on how it could be leveraged to pull off a stored cross-site scripting attack.
The issue was not patched until the 4.7.3 release because it cannot be exploited without the original content injection bug in the REST API being present and without the attacker possessing contributor privileges on WordPress.
Montpas explained that during research on the REST API vulnerability, he discovered how the embed shortcode feature in WordPress could overcome some hurdles put in place by the wp_kses() function, which limits the HTML tags someone could insert into a post. Specifically, Montpas said the youtube_embed_url function was particularly useful in setting up a scenario where an attacker could drop a stored XSS attack that would execute later.
“When an administrator visits the affected post, the XSS payload will execute and may force his browser to perform administrative actions on his behalf, like storing backdoors on the site and creating new administrator accounts,” Montpas told Threatpost last week. “This vulnerability alone isn’t very risky, because it requires the attacker to have very specific privileges on the site. But combined with the REST API vulnerability we found last month, which basically allowed any visitor to edit a site’s posts, it could have caused quite a mayhem.”
The REST API vulnerability allows an attacker with one line of exploit code to access the API and change site content and URL permalinks. The issue lies in the way the REST API manages access. It does so by favoring values such as GET and POST rather than existing values. Any request with letters in its ID would bypass a permission check and essentially grant an attacker admin privileges.
The researchers recommend again that WordPress admins not disable automatic updates, and ensure that the 4.7.2 and 4.7.3 updates are installed.