Wordpress 3-8-1-stored-xss

1,501 views

Published on

wordpress 3.8.1 stored xss.

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,501
On SlideShare
0
From Embeds
0
Number of Embeds
169
Actions
Shares
0
Downloads
25
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Wordpress 3-8-1-stored-xss

  1. 1. ##################################################################### # # Wordpress <= 3.8.1 Stored XSS (Requires Admin Privileges) # # Author : Mehmet Dursun INCE - mehmet.ince@intelrad.com # Job : Pentest Leader at IntelRAD. # Twitter: @mmetince # Found : 9 Feb # Tested on: Wordpress 3.8.1 on CentOS. # ##################################################################### Vulnerability Discover: First of all, i want to remind that you need a privileges to upload new theme at wordpress server side via ftp/sftp or wordpress gui. 1 - Wordpress checks themes for compatibility. if it's not compatible then wordpress will warn you under the "Broken Themes" segment at theme management page. 2 - "test" is the folder name of the theme that you wanna add to wordpress. But also it means that you can inject XSS payload via folder name. As you know, we can use <,>," or other character in folder name -only if you are using linux.3 – Lets create a “broken theme”. That is easy to create because we know that Wordpress need to see Stylesheet file. 4 - Let's upload that folder to under /[wordpress_full_path]/wp-content/themes.
  2. 2. 5 - I uploaded that folder via sftp. mince@rootlab:/tmp$ scp xss.zip root@mehmetince.net:/[wp-full-path]/wp-content/themes xss.zip 100% 194 0.2KB/s 00:00 mince@rootlab:/tmp$ 6 – See our malformed theme under the themes folder. 7 - Decompress it.
  3. 3. 8 – Lets refresh theme page. 9 – EOF!

×