CVSS Summary
| Score | 5.5 Medium |
|---|---|
| Vector | Network |
| Complexity | Low |
| Authentication | Single |
| Confidentiality | Partial |
| Integrity | Partial |
| Availability | None |
Advisory:
Stored XSS in iframe allows less privileged users to do almost anything an admin can
Vulnerability
Last revised:
Users without the unfiltered_html capability are able to insert arbitrary HTML into pages and thus exceed the privileges they were granted.
Current state: Reported
Proof of concept
Insert the following into a post:
[iframe src="http://www.youtube.com/embed/4qsGTXLnmKs" width="100%" height="500" onload="alert(1)"]
Advisory timeline
- 2015-07-31: Discovered
- 2015-08-05: Reported to vendor via web form on http://web-profile.com.ua/feedback/
- 2015-08-06: Vendor responded
- 2015-08-10: Vendor reported fixed in version 4.0 but this does not address the issue: the plugin is still vulnerable.
- 2015-08-10: Published
Mitigation/further actions
Disable the plugin until a new version is released that fixes this bug.
The vendor has released version 4.0 in which onload is disabled, but the other ‘event’ attributes are still permitted, including onpageshow. A number of these event attributes could be used to execute this attack, so this issue is not resolved (registered as CVE-2015-6739).