WordPress (5.9-5.9.1) / Gutenberg (9.8.0-12.7.1) – Contributor+ Stored Cross-Site Scripting | WordPress Vulnerabilities

Description

Post authors are able to bypass KSES restrictions in WordPress >= 5.9 (and or Gutenberg >= 9.8.0) due to the order filters are executed, which could allow them to perform to Stored Cross-Site Scripting attacks

Proof of Concept

As a user without the UNFILTERED_HTML capability, create a post containing the following content:

{"version":"u003cimg src=404 onerror=alert(document.location)u003e","isGlobalStylesUserThemeJSON":"foobar"}

Affects WordPress

Fixed in WordPress 5.9.2

Fixed in WordPress 5.9.2

Affects Plugins

Fixed in 12.7.2

References

URL

https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Ben Bidner

Verified

Yes

WPVDB ID

1fd6742e-1a32-446d-be3d-7cce44f8f416

Timeline

Publicly Published

2022-03-11 (about 4 years ago)

Added

2022-03-11 (about 4 years ago)

Last Updated

2022-04-12 (about 4 years ago)

Other

Published

Title

Published

2025-03-27

Title

Audio Album < 1.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2020-06-19

Title

TownHub < 1.3.0 - Unauthenticated Reflected XSS

Published

2023-10-02

Title

Contractor Contact Form Website to Workflow Tool < 4.1.0 - Reflected XSS

Published

2022-04-19

Title

BMI BMR Calculator <= 1.3 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

ThreeWP Email Reflector 1.13 - Subject Field XSS