Advisory:

Reflected XSS in iframe allows unauthenticated users to do almost anything an admin can

Vulnerability

Last revised:

If the “get_params_from_url” option is used in the iframe shortcode, the page/post it’s on is opened up to a reflected XSS attack.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Paste the following into a post:

[iframe src="http://www.youtube.com/embed/4qsGTXLnmKs" width="100%" height="500" get_params_from_url="1"]

Visit the post in a browser that doesn’t attempt to mitigate XSS attacks (i.e. Firefox) and add some extra parameters:

http://localhost/2015/07/31/iframe/?a=%22%3E%3C/iframe%3E%3Cscript%3Ealert(`hello%20world`)%3C/script%3E

Advisory timeline

  • 2015-07-31: Discovered
  • 2015-08-05: Reported to vendor via web form on http://web-profile.com.ua/feedback/
  • 2015-08-06: Vendor responded
  • 2015-08-10: Vendor reported fixed in version 4.0
  • 2015-08-10: Published

Mitigation/further actions

Upgrade to version 4.0 or later

If this is not possible, ensure that the ‘get_params_from_url’ argument is never used in the shortcode.