KLU01/LU_Week7Project_WordPress_Kali

Vulnerabilities in WordPress 4.2

LU_Week7Project_WordPress_Kali

Vulnerabilities in WordPress 4.2

Project 7 - WordPress Pentesting

Time spent: 3 hours spent in total

Objective: Find, analyze, recreate, and document three vulnerabilities (5 is optional) affecting an old version of WordPress

Pentesting Report

1. WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename

• Summary: An attacker can inject JavaScript code into the application via upload of an image onto WordPress.
  • Vulnerability types: XXS
  • Tested in version: 4.2
  • Fixed in version: 4.2.10
• GIF Walkthrough:
• Steps to recreate:
  • Save an image with the file name such as: NameFile<img src=a onerror=alert(document.cookie)>.jpg
  • Upload the image as an admin to WordPress & open the attachment page
• Affected source code:
  • Link 1

2. WordPress 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)

• Summary: An attacker with a contributor or author level account can insert specially formatted HTML containing JavaScript on a WordPress page or post.
  • Vulnerability types: XXS
  • Tested in version: 4.2
  • Fixed in version: 4.2.3
• GIF Walkthrough:
• Steps to recreate:
  • Log onto a contributor or author level account. Create a post in html with the content of: <a href = "[caption code=">"]</a><a title=" onmouseover=alert('test') ">link</a>
  • Log onto administrator account and view the post
• Affected source code:
  • Link 1

3. WordPress 3.3-4.7.4 - Large File Upload Error XSS

• Summary: An attacker can inject malicious script into the filename of a video as an administrator.
  • Vulnerability types: XXS
  • Tested in version: 4.2
  • Fixed in version: 4.2.15
• GIF Walkthrough:
• Steps to recreate:
  • Create a file larger than 2 MB (the maximum upload size) with the file name such as: NameFile<img src=x onerror=alert('boo')>.jpg
  • Upload the video as an admin to WordPress Media
• Affected source code:
  • Link 1

Assets

List any additional assets, such as scripts or files

Resources

• WordPress Source Browser
• WordPress Developer Reference

GIFs created with LiceCap.

Notes

Describe any challenges encountered while doing the work

1. Finding good resources describing the vulnerabilities and examples
2. Although the IP stated was 127.0.53.53 when wpdistillery.dev was pinged, it was actually 192.168.33.10.
3. The hostname I found worked for me was not wpdistillery.dev but wpdistillery.local.

License

Copyright [2017] [Kelly Lu]

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.