- (Required) DOM Cross-Site Scripting (XSS) via Post
- Summary: A user can post a script as normal post and run a script once the post is published.
- Vulnerability types: XSS
- Tested in version: 4.2
- Theme: Twenty Fifteen
- Tested in Version: 1.1
- Fixed in version: 1.2
- GIF Walkthrough:
- Steps to recreate:
- Insert this line of code into the post:
http:// site.com/wp-content/themes/twentyfifteen/genericons/example.html#1<img/ src=1 onerror= alert(1)>
- On the preview, we can see that the script is being ran.
- Affected source code:
- (Required) Cross-Site Scripting (XSS) via Image Title
- Summary: A user can change the title of an image and attach it to a post in order to run a script once the image is clicked on.
- Vulnerability types: XSS
- Tested in version: 4.2
- Fixed in version:
- GIF Walkthrough:
- Steps to recreate:
- Insert this line of code into the picture's title:
cengizhansahinsumofpwn<img src=a onerror=alert(document.cookie)>.jpg
- Create a new post and add a gallery including that picture.
- On the preview, we can see that the script is being ran.
- Affected source code:
- (Required) Stored Cross-Site Scripting
- Summary: A user with editing privileges can inject a script in a reply message which is executed when the mouse is hovered over the link.
- Vulnerability types: XSS
- Tested in version: 4.2
- Fixed in version: 4.2.1
- GIF Walkthrough:
- Steps to recreate:
- Using an account with editing privileges, make a reply with the following text:
<a href = "" onmouseover=alert("Hi") >Click here</a>
- Once someone hovers there mouse over the link, the script will be ran.
- Affected source code:
- (Optional) Cross-Site Scripting (XSS) via Media File Metadata
- Summary: A user can upload an audio file with meta data containing a script to be exectued once the audio file is added to a post's playlist
- Vulnerability types: XSS
- Tested in version: 4.2
- Fixed in version: 4.2.13
- GIF Walkthrough:
- Steps to recreate:
- Download the xss.mp3 audio file found at the bottom of this page: https://seclists.org/oss-sec/2017/q1/563 Any audio file should work as long as its meta data is properly formatted to run the specified script.
- Create a new post and add the audio file to the post's playlist
- Affected source code:
- (Optional) User Enumeration
- Summary: Wordpress informs you when the username doesn't exist or when it does exist but got the wrong password. Hackers can guess a username and then just have to brute force the password to gain access to that account.
- Vulnerability types: User Enumeration
- Tested in version: 4.2
- Fixed in version: This was never fixed. Wordpress doesn't se this as a vulnerability. Other websites are similar where usernames are visible. In previous labs we had to guess an accounts username before moving forward which now makes me think that it as risky if usernames are public.
- GIF Walkthrough:
- Steps to recreate:
- Entering in a username that doesn't exist informs us there's no account with that username.
- Entering in a username but the wrong password, informs us the password is wrong but we can infer that an account with that username does exist.
- Affected source code:
Utilized WPScan to find vulnarebilities in old version of wordpress
Describe any challenges encountered while doing the work
Copyright [2019] [Owen Ahmed]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.