CVSS Summary
| Score | 4.9 Medium |
|---|---|
| Vector | Network |
| Complexity | Medium |
| Authentication | Single |
| Confidentiality | Partial |
| Integrity | Partial |
| Availability | None |
Advisory:
Stored XSS in Salutation Responsive WordPress + BuddyPress Theme could allow logged-in users to do almost anything an admin can
Vulnerability
Last revised:
The theme contains JavaScript (assets/js/onLoad.js) which iterates through .section-tabs a and puts every href value it finds into jQuery(). jQuery() doesn’t just search for elements which match a selector (i.e. jQuery('.section-tabs')), it also creates elements (i.e. jQuery('<div>')).
$('.section-tabs').simpleSlideTop(); // ... $.fn.simpleSlideTop = function(opts) { // ... contentID = $(this).attr('href'); $(contentID).hide();
An attacker without the unfiltered_html capability would be able to inject arbitrary HTML as if they had the unfiltered_html capability. With the ability to inject arbitrary HTML, the attacker is able add JavaScript which causes a logged-in administrator user to do almost anything – including creating new user accounts, deleting posts, and more.
Current state: Fixed
Proof of concept
- Click the activate button on the theme
- Install and activate Revolution Slider plugin
- Create a new user with role of Author (by default, Authors do not possess the
unfiltered_htmlcapability) - Log in as that user
- Visit “Add New Post” screen
- Switch the editor to “Text” mode
- Enter the following:
<div class="section-tabs"><a href="<img src=x onerror=alert(1)>">a</a></div> - Press “Publish”
- Press “View post”
- You will see an alertbox appear showing the value “1”
For comparison, if the same user account enters <img src=x onerror=alert(1)> or <script>alert(1)</script>, it will be blocked by WordPress.
Advisory timeline
- 2017-04-26: Discovered
- 2017-07-25: Reported via contact form on http://para.llel.us/
- 2017-07-25: Vendor reported issue fixed in 3.0.16
- 2017-07-31: Advisory published
- 2017-07-31: Requested CVE
- 2017-08-23: Received CVE
Mitigation/further actions
Upgrade to version 3.0.16 or later.