WordPress User Submitted Posts 20151113 Cross Site Scripting
Posted on 25 February 2016
* Exploit Title: WordPress User Submitted Posts Plugin [Persistent XSS] * Discovery Date: 2016-02-10 * Exploit Author: Panagiotis Vagenas * Author Link: https://twitter.com/panVagenas * Vendor Homepage: https://plugin-planet.com/ * Software Link: https://wordpress.org/plugins/user-submitted-posts/ * Version: 20151113 * Tested on: WordPress 4.4.2 * Category: WebApps, WordPress Description ----------- _User Submitted Posts_ plugin for WordPress suffers from a XSS vulnerability. The `user-submitted-content` field of the new post submission form is not properly sanitized, thus allowing users to include JS code to submitted post content. Normally only users with `unfiltered_html` capability are allowed to include JS code to post content. By default Administrators or Super Administrators have this capability, so this is considered as Persistent XSS vulnerability. PoC --- 1. Submit the form inserting JS code to post content 2. View the newly created post 3. JS code is executed Solution -------- Upgrade to v20160215 Timeline -------- 1. **2016-02-10**: Vendor notified via contact form at his website 2. **2016-02-10**: Vendor responded and received details about the issue 3. **2016-02-14**: Vendor released version 20160215 User Submitted Posts [Persistent XSS].md * Exploit Title: User Submitted Posts [Persistent XSS] * Discovery Date: 2016-02-10 * Exploit Author: Panagiotis Vagenas * Author Link: https://twitter.com/panVagenas * Vendor Homepage: https://plugin-planet.com/ * Software Link: https://wordpress.org/plugins/user-submitted-posts/ * Version: 20151113 * Tested on: WordPress 4.4.2 * Category: WebApps, WordPress Description ----------- _User Submitted Posts_ plugin for WordPress suffers from a XSS vulnerability. The `user-submitted-content` field of the new post submission form is not properly sanitized, thus allowing users to include JS code to submitted post content. Normally only users with `unfiltered_html` capability are allowed to include JS code to post content. By default Administrators or Super Administrators have this capability, so this is considered as Persistent XSS vulnerability. PoC --- 1. Submit the form inserting JS code to post content 2. View the newly created post 3. JS code is executed Solution -------- Upgrade to v20160215 Timeline -------- 1. **2016-02-10**: Vendor notified via contact form at his website 2. **2016-02-10**: Vendor responded and received details about the issue 3. **2016-02-14**: Vendor released version 20160215