WordPress WP-SiteMap Page Plugin – Stored Cross-Site Scripting (XSS)

Title: Responsible Vulnerability Disclosure Stored Cross-Site Scripting (XSS) CVE-2021-24715: – Stored Cross-Site Scripting (XSS) Vulnerability in WordPress WP-SiteMap Page Plugin (Affected Plugin Version Number < 1.7.0).

INTRODUCTION

WordPress is a content management system (WCM) i.e., it is a tool that organizes the whole process of creating, storing, and showcasing web-content in an optimal way. WordPress started its journey as an improvement tool to enhance the regular typography of day-to-day writing. But it was taken as a blogging tool and as we reach the last quarter of this year WordPress stands strong as the most used WCM system used and that also not only in the blogging community. WordPress is completely an open-source tool and is still being updated very frequently.

eSecForte Technologies Security Researcher – Nikhil Kapoor found a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress WP-SiteMap Page Plugin, and it has been assigned CVE-2021-24715 by the WPScan.

 

Description: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

 

Platform/Product: WordPress WP-SiteMap Page Plugin – Affected Plugin Version Number < 1.7.0

Vulnerability Name: Stored Cross-Site Scripting (XSS)

Affected Component:

Attack Type:

Impact:

Attackers can execute scripts in a victim’s browser to hijack user sessions, deface websites, insert hostile content, redirect users, hijack the user’s browser using malware, etc.

Recommendation:

  1. The preferred option is to properly escape all untrusted data based on the HTML context. Include data escaping techniques in their applications.
  2. Use positive or “white-list” input validation to protect against XSS.
  3. Use HTML & URL encoding for applications that accept special characters and meta tags. Such validation should decode any encoded input, and then validate the length, characters, and format on that data before accepting the input.
  4. Client-side and server-side validation should be implemented. Server-side validation is mandatory.

Method of Exploitation

Steps to Reproduce #:-

1. Install WordPress and Go to the dashboard.

Stored Cross-Site Scripting

2. Now go to Plugin and select Add New.

Stored Cross-Site Scripting

3. Now Install and Activate WP-SiteMap Page Plugin.

Stored Cross-Site Scripting

4. Now go to settings > WP-SiteMap Page.

Stored Cross-Site Scripting

5. “How to display the posts” Input Field is Vulnerable to Stored Cross-Site Scripting Vulnerability (XSS). Enter XSS Payload and click on save changes button.

Stored Cross-Site Scripting
Stored Cross-Site Scripting
Stored Cross-Site Scripting

6. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.

Stored Cross-Site Scripting

[Disclosure Process]

  1. Reported the Vulnerability to the WordPress Team.
  2. Acknowledged confirmed from the Vendor that vulnerability exist.
  3. CVE has been assigned by WPScan.
  4. Vendor confirm that the vulnerability is fixed or a latest version, patch is released.
  5. Vulnerability disclosed to the public.

 [Reference]                                    

https://wpscan.com/vulnerability/da66d54e-dda8-4aa8-8d27-b8b87100bb21

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24715

 

[Has vendor confirmed or acknowledged the vulnerability?]

Yes                                                                                                                   

[Discoverer]                                                                                                      

Nikhil Kapoor from eSecForte Technologies Pvt Ltd