Details
================
Software: Salutation Responsive WordPress + BuddyPress Theme
Version: 3.0.15
Homepage:
https://themeforest.net/item/salutation-responsive-wordpress-buddypress-theme/548199
Advisory report:
https://security.dxw.com/advisories/stored-xss-salutation-theme/
CVE: Awaiting assignment
CVSS: 4.9 (Medium; AV:N/AC:M/Au:S/C:P/I:P/A:N)
Description
================
Stored XSS in Salutation Responsive WordPress + BuddyPress Theme could allow
logged-in users to do almost anything an admin can
Vulnerability
================
The theme contains JavaScript (assets/js/onLoad.js) which iterates through
.section-tabs a and puts every href value it finds into jQuery(). jQuery()
doesn’t just search for elements which match a selector (i.e.
jQuery(\'.section-tabs\')), it also creates elements (i.e. jQuery(\'<div>\')).
$(\'.section-tabs\').simpleSlideTop();
// ...
$.fn.simpleSlideTop = function(opts) {
// ...
contentID = $(this).attr(\'href\');
$(contentID).hide();
An attacker without the unfiltered_html capability would be able to inject
arbitrary HTML as if they had the unfiltered_html capability. With the ability
to inject arbitrary HTML, the attacker is able add JavaScript which causes a
logged-in administrator user to do almost anything – including creating new
user accounts, deleting posts, and more.
Proof of concept
================
Click the activate button on the theme
Install and activate Revolution Slider plugin
Create a new user with role of Author (by default, Authors do not possess the
unfiltered_html capability)
Log in as that user
Visit “Add New Post” screen
Switch the editor to “Text” mode
Enter the following: <div class=\"section-tabs\"><a href=\"<img src=x
onerror=alert(1)>\">a</a></div>
Press “Publish”
Press “View post”
You will see an alertbox appear showing the value “1”
For comparison, if the same user account enters <img src=x onerror=alert(1)> or
<script>alert(1)</script>, it will be blocked by WordPress.
Mitigations
================
Upgrade to version 3.0.16 or later.
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our
disclosure policy: https://security.dxw.com/disclosure/
Please contact us on [email protected] to acknowledge this report if you
received it via a third party (for example, [email protected]) as they
generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this
report with 14 days.
Timeline
================
2017-04-26: Discovered
2017-07-25: Reported via contact form on http://para.llel.us/
2017-07-25: Vendor reported issue fixed in 3.0.16
2017-07-31: Advisory published
Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
