Persistent XSS Vulnerability in WordPress 4.2.2

A few months back Sucuri reported a dangerous security vulnerability found in WordPress 4.2.2. The patch has been released with WordPress 4.2.4, which fixed a total of 6 security vulnerabilities.

Details of the vulnerability

The vulnerability has been initially reported by Sucuri to the WordPress security team on May 6th, 2015, and was fixed with the release of WordPress 4.2.4 on August 4th, 2015.

Vulnerability Details
Security Risk: Dangerous
Exploitation level: Easy
DREAD Score: 6/10
Vulnerability: Persistent XSS
Patched Version: 4.2.4

Technical Details

The bug was in the preview_theme() function, which is used by WordPress to changes to theme configurations before they go live. This function is hooked to the setup_theme action hook, which is executed every time a theme is to be displayed.

The theme preview is accessible only to logged-in administrators, specifically users with the switch_themes capability. See the screenshot below:

WordPress XSS Vulnerability - preview_theme()

The preview_theme() function.
Credits: Sucuri

When an administrator visits one of the site’s pages with specific $_GET parameters added, this function will not return early, and set the preview_theme_ob_filter() function as ob_start‘s callback function. This function filters all the HTML links using the preview_theme_ob_filter_callback().

The preview_theme_ob_filter() function. Credits: Sucuri

The preview_theme_ob_filter() function.
Credits: Sucuri

So to be clear: first ob_start() gathers all of the page’s content, then calls the preview_theme_ob_filter() callback function to grab all HTML link, which will then be passed to the preview_theme_ob_filter_callback() function.

The preview_theme_ob_filter() function. Credits: Sucuri

The preview_theme_ob_filter_callback() function.
Credits: Sucuri

This function does a number of checks, but most importantly removes the onclick='' event handlers from link tags.

The issue

The problem is exactly in the preview_theme_ob_filter_callback() function, because the piece of code responsible for removing the onclick='' handlers can be used to actually insert new HTML tag attributes to the HTML link by sending a tag similar to the following in a post comment:

<a href='/wp-admin' title="onclick='" Title='" style="position: absolute;top:0;left:0;with:100%;height:100%;display:block;" onmouseover=alert(1)//'>Test</a>

Where the part in bold is the piece of code that will get removed, accidentally inserting the style and onmouseover attributes. The resulting tag (visible only to logged-in administrators) will be:

<a href='/wp-admin/' title="" style="position:absolute;top:0;left:0;width:100%;height:100%;display:block;" onmouseover=alert(1)//'>Test</a>

This obviously bypasses WordPress’ filters that were in place to disallow javascript execution.

Update, update, update!

As said before, this vulnerability has been patched with WordPress 4.2.4, which is out since August 4th, 2015. All you have to do, if automatic updates don’t work for you, is update your WordPress website to the most recent version.

CC BY-SA 4.0 Persistent XSS Vulnerability in WordPress 4.2.2 by Mattia Migliorini is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.


Web Designer freelance, Ubuntu Member, Linux evangelist. Loves working on clear and minimal designs and wants to create beautiful things for different devices.

deshack wrote 82 posts

Post navigation


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>