A just-patched stored cross-site scripting (XSS) vulnerability in WordPress allowed drive-by remote code-execution, according to an analysis.
The bug exists in the built-in editor Gutenberg, which is found in WordPress 5.0 and above. Zhouyuan Yang, a threat-researcher at FortiGuard Labs, said that Gutenberg fails to filter a post’s JavaScript/HTML code if there’s a “Shortcode” error message.
Shortcodes are essentially shortcuts that WordPress users can utilize to embed files or create objects that would normally require more complex code to accomplish. Shortcode blocks can be added to a page by clicking on the “Add Block button” inside the Gutenberg editor.
However, when adding certain HTML encoded characters (such as “<”) to the Shortcode block itself and then re-opening the post, users will get an error message, according to the analysis.
“[Wordpress] previews [the post] by decoding the ‘<’ to ‘<“,'” explained Yang. “The XSS filter in this preview can be easily bypassed [by adding] the proof-of-concept [code] ‘><img src=1 onerror=prompt(1)>.’ [to the post].”
After that, when any website visitor views the post, the XSS code will be executed in their browser.
“This allows a remote attacker with ‘Contributor’ or higher permissions to execute arbitrary JavaScript/HTML code in the browser of victims who access the compromised webpage,” he wrote in a Thursday posting.
Yang told Threatpost that an attacker can exploit this as long as he or she has a “contributor role” on a vulnerable WordPress website. Attackers can also build their own website or first compromise a legitimate website to inject the code. After that, they need only entice victims to visit the compromised page in order to execute the malicious code.
The “stored XSS” designation associated with this vulnerability is also troublesome as it is the “most dangerous” type of XSS, according to OWASP. A stored XSS occurs when a web application gathers input from a user and stores that input for later use, according to OWASP. If it’s not correctly filtered, malicious data will appear to be part of the web site and run within the user’s browser under the privileges of the web application.
The National Institute of Standards and Technology assigned the vulnerability a Common Vulnerabilities and Exposures rating of 6.1, making it a Medium severity bug.
Another Wrinkle
There’s another wrinkle in the vulnerability Yang found. “If the victim has high permissions, such as an administrator, the attacker could even compromise [their] web server,” he said.
For example, Yang has a proof-of-concept exploit, in which the attacker hosts a JavaScript file that could exploit the XSS bug to add a WordPress administrator account with the username “attacker” and password “attacker” to the targeted CMS.
The attacker could do this by sending a GET request to the URL “/wordpress/wp-admin/user-new.php,” to extract the current ‘nonce’ value. Using this nonce value, it’s then possible to construct a POST query and create a new user with an arbitrary username and password, as an administrator, Yang explained. The attacker could then modify an existing php file to a webshell (this is a WordPress built-in function) using this new account, then use the webshell to take control of the web server.
FortiGuard Labs contacted WordPress about the flaw, which was patched this month with version 5.2.3. The vulnerability (identified as CVE-2019-16219) affects WordPress versions from 5.0 to 5.0.4, 5.1 and 5.1.1. Public disclosure of the bug was last week.
It wasn’t the only XSS flaw patched in the platform; the update also fixed XSS vulnerabilities found in post previews by contributors, in stored comments, during media uploads, in the dashboard and during URL sanitization.
XSS flaws in WordPress and various plugins continue to plague the platform, the most popular content management system (CMS) in the world, with 60.4 percent of the global CMS market share. About a third of all of the websites on the internet are built using WordPress.
Most recently, in July, WordPress plugin WP Statistics patched an XSS vulnerability that could allow for full website takeover; in March, WordPress issued a patch for a stored XSS vulnerability in the platform’s comment system.
Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.