Exploitation Level: Easy/Remote
DREAD Score: 6/10
Vulnerability: Stored XSS
Patched Version: bbPress 2.5.9
During regular research audits of our Sucuri Firewall, we discovered a Stored XSS vulnerability affecting the bbPress plugin for WordPress which is currently installed on 300,000 live websites – one of them being the popular wordpress.org support forum.
Vulnerability Disclosure Timeline:
- April 12th, 2016 – Bug discovered, initial report to the bbPress team
- May 2nd, 2016 – bbPress team announces security release
- May 3rd, 2016 – Sucuri releases disclosure
Are You At Risk?
As a Cross-Site Scripting (XSS) vulnerability, it could allow this user to hijack other user accounts, perform actions on their behalf (like administrators, moderators, etc.) to escalate its user’s privileges.
All posts and replies are sanitized by the WordPress function wp_kses(), which acts as a whitelist sanitization function. This means it only allows approved HTML tags and their associated whitelisted attributes (and URL protocol, for attributes like href and src) through the filtering engine. After this happens, the resulting string is passed down to the following list of filters, hooked by bbPress:
We found the bbp_mention_filter function interesting, as it is one of the few functions that doesn’t come from WordPress.
This code does the following:
- It searches for mentions in the post by calling the bbp_find_mentions, returning every match from the following regex: /[@]+([A-Za-z0-9-_\.@]+)\b/
- For each of these matches, check if it corresponds to a known user, and whether they are active or not.
- Once that is done, it will replace these mentions with a hyperlink HTML tag, linking to the user’s profile page.
It doesn’t check if the mentions found are already located inside an HTML tag’s attribute; therefore if a user with the name ‘test’ sends a reply containing a hyperlink tag whose href attribute is set to @test, it would break the hyperlink tag.
To better illustrate, this:
… would become:
<a href="<a href="http://targetsite/test/profile/" rel="nofollow">test</a>">link</a>
Update as Soon as Possible
If you’re using a vulnerable version of this plugin, yes, update as soon as possible! In the event where you cannot do this, we strongly recommend leveraging the Sucuri Firewall or equivalent technology to get it patched virtually.