Skip to content

WordPress 3.9-5.1 - Comment Cross-Site Scripting

Summary

Description Details
Name WordPress 3.9-5.1 - Comment Cross-Site Scripting
Summary Wordpress does not protect from CSRF attack while submitting comments, and comments by administrators are not sanitized effectively.
Affected application WordPress Core
Affected revision 3.9 to 5.1
Vendor update available Yes
CVE CVE-2019-9787
Ids CWE-79; WPVDB9230
CVSSv3.0 Base Score 7.7
CVSS vector AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Public Exploit available No
Exploit verified NA
Authentication Required Yes, User interaction needed

Vulnerable Code

The vulnerability exists in wp-admin/includes/ajax-actions.php and wp-includes/comment.php. <a> tags are allowed in comments, allowing execution of evil JS in <a>, in onmouseover like events. Using this attack, it possible to create another comment as administrator user, which is a CSRF attack. The comments entered by administrator user have no restrictions allowing <script> and <iframe> tags. With an evil payload, all functionalities of administrator user can be performed, which includes modifying existing php scripts with malwares and adding administator users.

Exploit Methodology

The attacker will have to do the following to exploit this vulnerability:-

  • First and foremost, the attacker needs a valid user login to the wordpress site
  • Craft a payload, which will add a comment with another payload to modify existing php script on server
  • Create a comment using the above payload
  • Wait for administrator user to approve/visit the comment
  • Gain webshell and execute command

Security Patch

diff --git a/wp-admin/includes/ajax-actions.php b/wp-admin/includes/ajax-actions.php
index f273c4df6f3..86b205279e5 100644
--- a/wp-admin/includes/ajax-actions.php
+++ b/wp-admin/includes/ajax-actions.php
@@ -1214,6 +1214,8 @@ function wp_ajax_replyto_comment( $action ) {
            if ( wp_create_nonce( 'unfiltered-html-comment' ) != $_POST['_wp_unfiltered_html_comment'] ) {
                kses_remove_filters(); // start with a clean slate
                kses_init_filters(); // set up the filters
+               remove_filter( 'pre_comment_content', 'wp_filter_post_kses' );
+               add_filter( 'pre_comment_content', 'wp_filter_kses' );
            }
        }
    } else {
diff --git a/wp-includes/comment.php b/wp-includes/comment.php
index 229330793ed..d245026d66a 100644
--- a/wp-includes/comment.php
+++ b/wp-includes/comment.php
@@ -3243,6 +3243,8 @@ function wp_handle_comment_submission( $comment_data ) {
            ) {
                kses_remove_filters(); // start with a clean slate
                kses_init_filters(); // set up the filters
+               remove_filter( 'pre_comment_content', 'wp_filter_post_kses' );
+               add_filter( 'pre_comment_content', 'wp_filter_kses' );
            }
        }
    } else {

References

https://blog.ripstech.com/2019/wordpress-csrf-to-rce/ Security Focus