A few months back Sucuri reported a dangerous security vulnerability found in WordPress 4.2.2. The patch has been released with WordPress 4.2.4, which fixed a total of 6 security vulnerabilities.
Details of the vulnerability
The vulnerability has been initially reported by Sucuri to the WordPress security team on May 6th, 2015, and was fixed with the release of WordPress 4.2.4 on August 4th, 2015.
Exploitation level: Easy
DREAD Score: 6/10
Vulnerability: Persistent XSS
Patched Version: 4.2.4
Technical Details
The bug was in the preview_theme() function, which is used by WordPress to changes to theme configurations before they go live. This function is hooked to the setup_theme action hook, which is executed every time a theme is to be displayed.
The theme preview is accessible only to logged-in administrators, specifically users with the switch_themes capability. See the screenshot below:
The preview_theme() function.
Credits: Sucuri
When an administrator visits one of the site’s pages with specific $_GET parameters added, this function will not return early, and set the preview_theme_ob_filter() function as ob_start‘s callback function. This function filters all the HTML links using the preview_theme_ob_filter_callback().
The preview_theme_ob_filter() function.
Credits: Sucuri
So to be clear: first ob_start() gathers all of the page’s content, then calls the preview_theme_ob_filter() callback function to grab all HTML link, which will then be passed to the preview_theme_ob_filter_callback() function.
The preview_theme_ob_filter_callback() function.
Credits: Sucuri
This function does a number of checks, but most importantly removes the onclick='' event handlers from link tags.
The issue
The problem is exactly in the preview_theme_ob_filter_callback() function, because the piece of code responsible for removing the onclick='' handlers can be used to actually insert new HTML tag attributes to the HTML link by sending a tag similar to the following in a post comment:
<a href='/wp-admin' title="onclick='" Title='" style="position: absolute;top:0;left:0;with:100%;height:100%;display:block;" onmouseover=alert(1)//'>Test</a>
Where the part in bold is the piece of code that will get removed, accidentally inserting the style and onmouseover attributes. The resulting tag (visible only to logged-in administrators) will be:
<a href='/wp-admin/' title="" style="position:absolute;top:0;left:0;width:100%;height:100%;display:block;" onmouseover=alert(1)//'>Test</a>
This obviously bypasses WordPress’ filters that were in place to disallow javascript execution.
Update, update, update!
As said before, this vulnerability has been patched with WordPress 4.2.4, which is out since August 4th, 2015. All you have to do, if automatic updates don’t work for you, is update your WordPress website to the most recent version.
The post Persistent XSS Vulnerability in WordPress 4.2.2 appeared first on deshack.