WP < 6.5.2 – Unauthenticated Stored XSS | WordPress Vulnerabilities

Description

WordPress does not escape the Author name of its Avatar block when some settings are enabled, leading to Stored Cross-Site Scripting. In a default setup, contributor and above users could perform such attack. However, if the blog is using the mentioned settings in the comment template, then unauthenticated users could exploit this.

Proof of Concept

Default setup:

As a contributor, edit your profile and put the following payload as First Name: " autofocus onfocus=alert`XSS`//, then select the display name with the payload in it and save.

Create/edit a post, add an Avatar block, enable "Link to user profile" and "Open in new tab" in the block settings. Or add the following code in a post while in Code Editor mode: <!-- wp:avatar {"isLink":true,"linkTarget":"_blank"} /-->

The XSS will be triggered when any user will (pre)view the post

---------

Worse setup ("Link to user profile" and "Open in new tab" enabled in the Avatar block settings in the comment template, which can be done by opening /wp-admin/site-editor.php?postType=wp_template&postId=twentytwentyfour%2F%2Fsingle, select one of the Avatar block in the comment and enable the settings)

Simply add a comment as unauthenticated with the following payload in the Name: " autofocus onfocus=alert`XSS`//, and put a dummy Website URL(required for the attack to work)

Affects WordPress

Fixed in WordPress 6.5.2

Fixed in WordPress 6.4.4

Fixed in WordPress 6.4.4

Fixed in WordPress 6.4.4

Fixed in WordPress 6.4.4

Fixed in WordPress 6.3.4

Fixed in WordPress 6.3.4

Fixed in WordPress 6.3.4

Fixed in WordPress 6.3.4

Fixed in WordPress 6.2.5

Fixed in WordPress 6.2.5

Fixed in WordPress 6.2.5

Fixed in WordPress 6.2.5

Fixed in WordPress 6.2.5

Fixed in WordPress 6.1.6

Fixed in WordPress 6.1.6

Fixed in WordPress 6.1.6

Fixed in WordPress 6.1.6

Fixed in WordPress 6.1.6

Fixed in WordPress 6.1.6

Fixed in WordPress 6.0.8

Fixed in WordPress 6.0.8

Fixed in WordPress 6.0.8

Fixed in WordPress 6.0.8

Fixed in WordPress 6.0.8

Fixed in WordPress 6.0.8

Fixed in WordPress 6.0.8

Fixed in WordPress 6.0.8

References

URL

https://wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

John Blackbourn, Mat Rollings

Verified

Yes

WPVDB ID

1a5c5df1-57ee-4190-a336-b0266962078f

Timeline

Publicly Published

2024-04-09 (about 1 year ago)

Added

2024-04-10 (about 1 year ago)

Last Updated

2024-04-11 (about 1 year ago)

Other

Published

Title

Published

2025-01-16

Title

WP Smart Tooltip <= 1.0.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2025-04-25

Title

My Custom Widgets <= 2.0.5 - Reflected Cross-Site Scripting

Published

2020-01-29

Title

Elementor Page Builder < 2.7.7 - Authenticated Stored XSS

Published

2025-02-23

Title

GDPR Cookie Compliance < 4.15.7 - Admin+ Stored XSS

Published

2024-10-16

Title

Parallax Image < 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via dd-parallax Shortcode