Advisory:

Stored XSS in Relevanssi could allow an unauthenticated attacker to do almost anything an admin can do

Vulnerability

Last revised:

Relevanssi has the option to provide a “did you mean” message which requires adding some code to the theme and enabling the logging of user queries. When printing the “did you mean” message, a stored query is output without proper escaping.

The fact that the queries are stored means that we can evade the XSS prevention measures employed by some browsers.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

  • Delete all posts and pages (or just start from a fresh WordPress installation)
  • Create a blank post called “hello world”
  • Create a blank post called “hello again”
  • Activate Relevanssi
  • Set the current theme to twentyseventeen
  • Follow the instructions by adding <?php if (function_exists('relevanssi_didyoumean')) { relevanssi_didyoumean(get_search_query(), "<p>Did you mean: ", "</p>", 5); }?> to the file search.php after get_header()
  • Enable Relevanssi’s “Keep a log of user queries” option and click “Save options”
  • Press “Build the index”
  • Visit /?s=hel%3Cscript%3E/*%3C*/alert(1)%3C/script%3E
  • Visit the same URL again
  • If your browser doesn’t use XSS mitigation techniques (i.e. Firefox) you will see an alert
  • Then visit /?s=he%3Cscript%3E/*%3C*/alert(2)%3C/script%3E
  • You will see an alert, even if your browser attempts to block XSS (i.e. Chrome)

Advisory timeline

  • 2017-02-14: Discovered
  • 2017-02-15: Reported via email
  • 2017-02-15: Requested CVE
  • 2017-02-16: Vendor first replied, to say the issue was fixed in version 3.5.8
  • 2017-02-28: Advisory published
  • 2017-07-07: Received CVE

Mitigation/further actions

Upgrade to version 3.5.8 or later.