\n\n Vulnerable Variable\/Parameters<\/p>\n<\/td>\n | \n mtphr_post_duplicator_settings[title], mtphr_post_duplicator_settings[slug]<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n Note: <\/strong>Here, localhost has been used for testing the application locally.<\/p>\n\n- \n
Login to the WordPress application.<\/p>\n<\/li>\n - \n
Install Post Duplicator Plugin.<\/p>\n<\/li>\n - \n
Go to the \u2018Tools\u2019 menu of WordPress and click on the \u2018Post Duplicator\u2019 button.<\/p>\n<\/li>\n<\/ol>\n <\/p>\n Figure 01: <\/strong>Post Duplicator Settings Page<\/p>\n\n- \n
Enter the payload – Duplicate Post\u201d><script>alert(document.cookie)<\/script> in the \u2018Duplicate Title\u2019 field (mtphr_post_duplicator_settings[title] parameter).<\/p>\n<\/li>\n<\/ol>\n <\/p>\n Figure 02: <\/strong>Entering\u00a0 XSS payload in the\u00a0 \u2018Duplicate Title\u2019 field<\/p>\n\n- \n
Enter the payload – Hello World!\u201d><script>alert(document.cookie)<\/script> in the \u2018Duplicate Slug\u2019 field (mtphr_post_duplicator_settings[slug] parameter).<\/p>\n<\/li>\n<\/ol>\n <\/p>\n Figure 03:<\/strong> Entering\u00a0 XSS payload in the\u00a0 \u2018Duplicate Slug\u2019 field<\/p>\n\n- \n
Click on the \u2018Save Changes\u2019 button to save changes.<\/p>\n<\/li>\n - \n
Go to the Post Duplicator Settings page at tools.php?page=mtphr_post_duplicator_settings_menu<\/p>\n<\/li>\n<\/ol>\n <\/p>\n Figure 04: <\/strong>Injected XSS payload is executed displaying an alert box with the contents of the user\u2019s cookies.<\/p>\n\n- \n
Another use case of this vulnerability is when the post is duplicated after injecting the XSS payload in the settings page.<\/p>\n<\/li>\n<\/ol>\n <\/p>\n Figure 05:<\/strong> Duplicate the \u201cHello world!\u201d post<\/p>\n\n- \n
Once the post is duplicated, the title of the duplicated post will append the name we specified in the mtphr_post_duplicator_settings[title] parameter.<\/p>\n<\/li>\n<\/ol>\n <\/p>\n Figure 06:<\/strong> Duplicated post with XSS Payload<\/p>\n\n- \n
Now navigate to the application root to view the posts.<\/p>\n<\/li>\n<\/ol>\n <\/p>\n Figure 07:<\/strong> Injected XSS payload is executed displaying an alert box with the contents of the user\u2019s cookies.<\/p>\n<\/p>\n Figure 08: <\/strong>The default cross-site scripting mitigation setting in wp.config file to prevent cross-site scripting attacks<\/p>\n <\/p>\n Impact<\/h2>\nAn attacker can perform the following:<\/p>\n \n- \n
Inject malicious code into the vulnerable variable and exploit the application through the cross-site scripting vulnerability.<\/p>\n<\/li>\n - \n
Modify the code and get the session information of other users<\/p>\n<\/li>\n - \n
Compromise the user machine.<\/p>\n<\/li>\n<\/ul>\n Remediation<\/h2>\n\n- \n
Perform context-sensitive encoding of entrusted input before it is echoed back to a browser using an encoding library throughout the application.<\/p>\n<\/li>\n - \n
Implement input validation for special characters on all the variables reflected in the browser and stored in the database.<\/p>\n<\/li>\n - \n
Explicitly set the character set encoding for each page generated by the webserver.<\/p>\n<\/li>\n - \n
Encode dynamic output elements and filter specific characters in dynamic elements.<\/p>\n<\/li>\n<\/ul>\n <\/p>\n Timeline<\/h2>\nDec 28, 2021: Discovered in `Post Duplicator Plugin – 2.23` Product<\/p>\n Dec 29, 2021: Reported to WordPress team<\/p>\n Dec 31, 2021: Vendor fixed the issue<\/p>\n Dec 31, 2021: CSW assigned the CVE Identifier (CVE-2021-33852)<\/p>\n WordPress has a massive attack surface due to the large number of active installations. At any one time, attempts to break into WordPress sites are like a continual hum in the background of all internet traffic. Therefore, we urge users to patch this vulnerability immediately.<\/p>\n Contribution Credits: Sriraam Natarajan<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"Cyber Security Works discovered and reported a Stored Cross-Site Scripting vulnerability in WordPress Post Duplicator Plugin that allows an authenticated attacker to inject a JavaScript payload into a trusted URL.<\/p>\n","protected":false},"author":7,"featured_media":7453,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":""},"categories":[82,80,109,127,154],"tags":[442,520,432,522,521],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7452"}],"collection":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/comments?post=7452"}],"version-history":[{"count":5,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7452\/revisions"}],"predecessor-version":[{"id":17381,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7452\/revisions\/17381"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media\/7453"}],"wp:attachment":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media?parent=7452"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/categories?post=7452"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/tags?post=7452"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}} |