WordPress 3.5 Issues
WordPress released version 3.5.1 on January 24th 2013 which fixed a number of issues [0]:
-
Issue 1: "A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions."
-
Issue 2: "Two instances of cross-site scripting via shortcodes and post content."
-
Issue 3: "A cross-site scripting vulnerability in the external library Plupload."
This issue was originally discovered by @FireFart a WPScan Team member. You can find his Pingback Port Scanner here. Additional issues were also identified with the pingback API.
This issue was successfully investigated by @erwan_lr, a WPScan Team member. 'Administrators and Editors have the unfiltered_html capability' [1] so they are permitted to insert raw JavaScript into blog posts, less privileged users should not be allowed to insert JavaScript into blog posts, however, with these PoCs it is possible.
Proof of Concept: [gallery ids="20" icontag="script>alert(1)</script>"]
Proof of Concept: [embed]javascript:alert(document.cookie)[/embed]
This issue was successfully investigated by @erwan_lr, a WPScan Team member. "[Plupload] Allows you to upload files using HTML5 Gears, Silverlight, Flash, BrowserPlus or normal forms, providing some unique features such as upload progress, image resizing and chunked uploads." [2]
The vulnerable file is included in WordPress versions 3.5, 3.4.2, 3.4.1, 3.4, 3.3.3 and 3.3.2.
Proof of Concept: wp-includes/js/plupload/plupload.flash.swf?id=\"));}catch(e){alert(1);}//
[0] http://wordpress.org/news/2013/01/wordpress-3-5-1/
[1] http://core.trac.wordpress.org/ticket/22861
[3] https://github.com/wpscanteam/wpscan/issues/120
[4] https://github.com/wpscanteam/wpscan/issues/119
[5] https://github.com/FireFart/WordpressPingbackPortScanner
[6] http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html