WordPress 4.7.2 Cross-Site Scripting (XSS) via Taxonomy Term Names

by do son · Published · Updated

Recently, WordPress team is published WordPress version 4.7.3. This version fixed some errors that existed in previous WordPress versions.

On this post, I am going to analysis WordPress 4.7.2 Cross-Site Scripting (XSS) via Taxonomy Term Names vulnerability.

The problem is that this JS code.

xbutton = $( '<button type="button" id="' + id + '-check-num-' + key + '" class="ntdelbutton">' + '<span class="remove-tag-icon" aria-hidden="true"></span>' + '<span class="screen-reader-text">' + window.tagsSuggestL10n.removeTerm + ' ' + val + '</span>' + '</button>' );

Where val is the unfiltered user input, and Patch replaces it with span.html () for entity encoding.

After testing, find Patch in js file loading location:

  • http://localhost/wp-admin/post-new.php
The corresponding js file is tags-box.min.js

When it comes to add or modify the label of the page, the user manually enters a tag, dynamically generates a button below the input box for the deletion of the article tag.

Example: Enter a name xss tag button after generation.

PoC

Close “span” tag

</span><svg onload=prompt(/XSS/)>

Tags: wordpressXSS