Details of the vulnerability
The vulnerability has been initially reported by Sucuri to the WordPress security team on May 6th, 2015, and was fixed with the release of WordPress 4.2.4 on August 4th, 2015.
Exploitation level: Easy
DREAD Score: 6/10
Vulnerability: Persistent XSS
Patched Version: 4.2.4
The bug was in the
preview_theme() function, which is used by WordPress to changes to theme configurations before they go live. This function is hooked to the
setup_theme action hook, which is executed every time a theme is to be displayed.
The theme preview is accessible only to logged-in administrators, specifically users with the
switch_themes capability. See the screenshot below:
When an administrator visits one of the site’s pages with specific
$_GET parameters added, this function will not return early, and set the
preview_theme_ob_filter() function as
ob_start‘s callback function. This function filters all the HTML links using the
So to be clear: first
ob_start() gathers all of the page’s content, then calls the
preview_theme_ob_filter() callback function to grab all HTML link, which will then be passed to the
This function does a number of checks, but most importantly removes the
onclick='' event handlers from link tags.
The problem is exactly in the
preview_theme_ob_filter_callback() function, because the piece of code responsible for removing the
onclick='' handlers can be used to actually insert new HTML tag attributes to the HTML link by sending a tag similar to the following in a post comment:
<a href='/wp-admin' title="onclick='" Title='" style="position: absolute;top:0;left:0;with:100%;height:100%;display:block;" onmouseover=alert(1)//'>Test</a>
Where the part in bold is the piece of code that will get removed, accidentally inserting the style and onmouseover attributes. The resulting tag (visible only to logged-in administrators) will be:
<a href='/wp-admin/' title="" style="position:absolute;top:0;left:0;width:100%;height:100%;display:block;" onmouseover=alert(1)//'>Test</a>
Update, update, update!
As said before, this vulnerability has been patched with WordPress 4.2.4, which is out since August 4th, 2015. All you have to do, if automatic updates don’t work for you, is update your WordPress website to the most recent version.