In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.

**Package**

No package listed

**Affected versions**

5.0.7, 5.1.3, 5.2.4, and 5.3.0

**Description**

**Impact**

Authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.

**Patches**

This has been patched in WordPress 5.3.1, along with all the previous affected WordPress versions via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.

**References**

*   https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
*   https://hackerone.com/reports/731301

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue on HackerOne

CVE-2019-16781: Authenticated cross-site scripting (XSS) in WordPress block editor (within dashboard)

WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.

@@ -74,11 +74,11 @@ function has\_blocks( $post = null ) { \* @since 5.0.0 \* @see parse\_blocks() \* \* @param string $block\_type Full Block type to look for. \* @param string $block\_name Full Block type to look for. \* @param int|string|WP\_Post|null $post Optional. Post content, post ID, or post object. Defaults to global $post. \* @return bool Whether the post content contains the specified block. \*/ function has\_block( $block\_type, $post = null ) { function has\_block( $block\_name, $post = null ) { if ( ! has\_blocks( $post ) ) { return false; } @@ -90,7 +90,30 @@ function has\_block( $block\_type, $post = null ) { } }  
return false !== strpos( $post, '', $serialized\_block\_name, $serialized\_attributes ); }  
return sprintf( '%s', $serialized\_block\_name, $serialized\_attributes, $block\_content, $serialized\_block\_name ); }  
/\*\* \* Returns the content of a block, including comment delimiters, serializing all \* attributes from the given parsed block. \* \* This should be used when preparing a block to be saved to post content. \* Prefer \`render\_block\` when preparing a block for display. Unlike \* \`render\_block\`, this does not evaluate a block's \`render\_callback\`, and will \* instead preserve the markup as parsed. \* \* @since 5.3.1 \* \* @param WP\_Block\_Parser\_Block $block A single parsed block object. \* @return string String of rendered HTML. \*/ function serialize\_block( $block ) { $block\_content = '';  
$index = 0; foreach ( $block\['innerContent'\] as $chunk ) { $block\_content .= is\_string( $chunk ) ? $chunk : serialize\_block( $block\['innerBlocks'\]\[ $index++ \] ); }  
if ( ! is\_array( $block\['attrs'\] ) ) { $block\['attrs'\] = array(); }  
return get\_comment\_delimited\_block\_content( $block\['blockName'\], $block\['attrs'\], $block\_content ); }  
/\*\* \* Returns a joined string of the aggregate serialization of the given parsed \* blocks. \* \* @since 5.3.1 \* \* @param WP\_Block\_Parser\_Block\[\] $blocks Parsed block objects. \* @return string String of rendered HTML. \*/ function serialize\_blocks( $blocks ) { return implode( '', array\_map( 'serialize\_block', $blocks ) ); }  
/\*\* \* Filters and sanitizes block content to remove non-allowable HTML from \* parsed block attribute values. \* \* @since 5.3.1 \* \* @param string $text Text that may contain block content. \* @param array\[\]|string $allowed\_html An array of allowed HTML elements \* and attributes, or a context name \* such as 'post'. \* @param string\[\] $allowed\_protocols Array of allowed URL protocols. \* @return string The filtered and sanitized content result. \*/ function filter\_block\_content( $text, $allowed\_html = 'post', $allowed\_protocols = array() ) { $result = '';  
$blocks = parse\_blocks( $text ); foreach ( $blocks as $block ) { $block = filter\_block\_kses( $block, $allowed\_html, $allowed\_protocols ); $result .= serialize\_block( $block ); }  
return $result; }  
/\*\* \* Filters and sanitizes a parsed block to remove non-allowable HTML from block \* attribute values. \* \* @since 5.3.1 \* \* @param WP\_Block\_Parser\_Block $block The parsed block object. \* @param array\[\]|string $allowed\_html An array of allowed HTML \* elements and attributes, or a \* context name such as 'post'. \* @param string\[\] $allowed\_protocols Allowed URL protocols. \* @return array The filtered and sanitized block object result. \*/ function filter\_block\_kses( $block, $allowed\_html, $allowed\_protocols = array() ) { $block\['attrs'\] = filter\_block\_kses\_value( $block\['attrs'\], $allowed\_html, $allowed\_protocols );  
if ( is\_array( $block\['innerBlocks'\] ) ) { foreach ( $block\['innerBlocks'\] as $i => $inner\_block ) { $block\['innerBlocks'\]\[ $i \] = filter\_block\_kses( $inner\_block, $allowed\_html, $allowed\_protocols ); } }  
return $block; }  
/\*\* \* Filters and sanitizes a parsed block attribute value to remove non-allowable \* HTML. \* \* @since 5.3.1 \* \* @param mixed $value The attribute value to filter. \* @param array\[\]|string $allowed\_html An array of allowed HTML elements \* and attributes, or a context name \* such as 'post'. \* @param string\[\] $allowed\_protocols Array of allowed URL protocols. \* @return array The filtered and sanitized result. \*/ function filter\_block\_kses\_value( $value, $allowed\_html, $allowed\_protocols = array() ) { if ( is\_array( $value ) ) { foreach ( $value as $key => $inner\_value ) { $filtered\_key = filter\_block\_kses\_value( $key, $allowed\_html, $allowed\_protocols ); $filtered\_value = filter\_block\_kses\_value( $inner\_value, $allowed\_html, $allowed\_protocols );  
if ( $filtered\_key !== $key ) { unset( $value\[ $key \] ); }  
$value\[ $filtered\_key \] = $filtered\_value; } } elseif ( is\_string( $value ) ) { return wp\_kses( $value, $allowed\_html, $allowed\_protocols ); }  
return $value; }  
/\*\* \* Parses blocks out of a content string, and renders those appropriate for the excerpt. \*

CVE-2019-16780: Prevent stored XSS in the block editor. · WordPress/wordpress-develop@505dd6a

The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed unauthenticated file download with user information disclosure.

CVE-2019-19985

The Zoho CRM Lead Magnet plugin 1.6.9.1 for WordPress allows XSS via module, EditShortcode, or LayoutName.

**Details**

ZOHO CRM Lead Magnet version 1.6.9.1  
Bug Name: Reflected Cross Site Scripting (XSS) in WordPress Plugin  
Product: ZOHO CRM Lead Magnet version 1.6.9.1  
Version: 1.6.9.1  
Last Updated: 14-10-2019  
Homepage: http://localhost/wordpress/  
Severity: High  
Status: Fixed  
Exploitation Requires Authentication?: yes  
Vulnerable URL: http://localhost/wordpress/wp-admin/admin.php?page=create-leadform-builder&\_\_module=ManageShortcodes&\_\_action=zcfCrmManageFieldsLists&onAction=onCreate&crmtype=crmformswpbuilder&module=Leads&EditShortcode=58H3N&LayoutName=Standard&formName=Unititled  
Vulnerable Variable: **Module & EditShortcode & LayoutName**

**Description:**

A cross site scripting (XSS) attack can cause arbitrary code (java script) to run in a user’s browser while the browser is connected to a trusted web site. The application targets your application’s users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload is executing when the user loads an create lead form page created in **Zoho CRM Lead Magnet Version 1.6.9.1**

**Proof of concept: (POC)**

**Issue 1:**

By exploiting a Cross-site scripting vulnerability an attacker easily gain access to user’s session by stealing cookies and also exploit the user browser.

1.  Login to the application
    
2.  Install Zoho CRM Lead Magnet Plugin
    

**Figure 01:** Zoho CRM Lead Magnet

3.  Configure the **client id** and **secret key**  
    

**Figure 02:** client key and secret id are filled in Authenticating Zoho CRM Plugin

4.  Click on **Create New Form** button and fill the values and click on **Next** button

**Figure 03:** new form in Zoho CRM Plugin

5.  Add the payload <img src=x onerror=alert(document.cookie)> to the vulnerable parameters by intercepting the request in a proxy tool.

**Figure 04:** Request with XSS payload sent to the server

  
**Figure 05:** Request and response captured in the proxy

6.  Injected XSS payload is successfully executed when the user visits or reloads the page  
    

**Figure 06:** The JavaScript is successfully executed in the victim browser context

**Figure 07:** The WordPress application running on version 5.2.3

**Figure 08:** The WordPress **Zoho CRM Lead Magnet plugin Version: 1.6.9.1**

**Figure 09:** The default cross-site scripting mitigation setting in **wp.config** file to prevent cross site scripting attacks.

**Reproducing Steps**

1.  Logon into WordPress application in localhost
2.  Access the vulnerable GET Request URL with XSS payload inserted into the vulnerable variable.
3.  XSS will get executed in the user machine once the user clicks on the given vulnerable link.

**Timeline**

2019-10-13 – Discovered in WordPress( Zoho CRM Lead Magnet Plugin ) Product  
2019-10-14 – Reported to plugins@wordpress.org  
2019-10-15 – Received instant response from WordPress plugin team.  
2019-10-15 – Issue acknowledged and fixed immediately.  
2019-10-16 – Came up with a write up here.

**Discovered by:**  
Saran Baskar from Cyber Security Works Research Lab

CVE-2019-19306: ZOHO CRM Lead Magnet version 1.6.9.1 · Issue #16 · cybersecurityworks/Disclosed

A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to unlimited recursion for a '<use ... xlink:href="#identifier">' substring.

CVE-2019-18854: Changeset 2185438 – WordPress Plugin Repository

WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.

Timestamp:

10/14/2019 03:38:14 PM (3 years ago)

whyisjake

Message:

Administration: Ensure that admin referer nonce is valid.  

Coding standards, ensure that nonce is valid with identical, rather then equal operator.  

Props vortfu, xknown, whyisjake.  

Location:

trunk

Files:

  

*   src/wp-includes/pluggable.php (2 diffs)
*   tests/phpunit/tests/auth.php (2 diffs)

**Legend:**

Unmodified

Added

Removed

*   **trunk/src/wp-includes/pluggable.php**
    
    r46472
    
    r46477
    
     
    
    1107
    
    1107
    
         \*/
    
    1108
    
    1108
    
        function check\_admin\_referer( $action = -1, $query\_arg = '\_wpnonce' ) {
    
    1109
    
     
    
            if ( -1 == $action ) {
    
     
    
    1109
    
            if ( -1 ==\= $action ) {
    
    1110
    
    1110
    
                \_doing\_it\_wrong( \_\_FUNCTION\_\_, \_\_( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
    
    1111
    
    1111
    
            }
    
    …
    
    …
    
     
    
    1126
    
    1126
    
            do\_action( 'check\_admin\_referer', $action, $result );
    
    1127
    
    1127
    
    1128
    
     
    
            if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) {
    
     
    
    1128
    
            if ( ! $result && ! ( -1 ==\= $action && strpos( $referer, $adminurl ) === 0 ) ) {
    
    1129
    
    1129
    
                wp\_nonce\_ays( $action );
    
    1130
    
    1130
    
                die();
    
*   **trunk/tests/phpunit/tests/auth.php**
    
    r45717
    
    r46477
    
     
    
    25
    
    25
    
            self::$user\_id = self::$\_user->ID;
    
    26
    
    26
    
    27
    
     
    
            require\_once( ABSPATH . WPINC . '/class-phpass.php' );
    
     
    
    27
    
            require\_once ABSPATH . WPINC . '/class-phpass.php';
    
    28
    
    28
    
            self::$wp\_hasher = new PasswordHash( 8, true );
    
    29
    
    29
    
        }
    
    …
    
    …
    
     
    
    166
    
    166
    
        }
    
    167
    
    167
    
     
    
    168
    
        public function test\_check\_admin\_referer\_with\_default\_action\_as\_string\_not\_doing\_it\_wrong() {
    
     
    
    169
    
            $this->setExpectedIncorrectUsage( 'check\_admin\_referer' );
    
     
    
    170
    
            // A valid nonce needs to be set so the check doesn't die()
    
     
    
    171
    
            $\_REQUEST\['\_wpnonce'\] = wp\_create\_nonce( '-1' );
    
     
    
    172
    
            $result               = check\_admin\_referer( '-1' );
    
     
    
    173
    
            $this->assertSame( 1, $result );
    
     
    
    174
    
     
    
    175
    
            unset( $\_REQUEST\['\_wpnonce'\] );
    
     
    
    176
    
        }
    
     
    
    177
    
    168
    
    178
    
        /\*\*
    
    169
    
    179
    
         \* @ticket 36361
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2019-17675: Changeset 46477 – WordPress Trac

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.

CVE-2019-17670

The Blubrry PowerPress Podcasting plugin 6.0.4 for WordPress has XSS via the tab parameter.

**Details**

Word Press Product Bugs Report  
Bug Name Cross Site Scripting (XSS)  
Software: Blubrry PowerPress Podcasting plugin  
Version: 6.0.4  
Last Updated: 27-08-2015  
Homepage: https://wordpress.org/plugins/powerpress/developers/  
Compatible Up to Wordpress 4.3.0 Version (Requires: 3.6 or higher)  
Severity High  
Description: Cross Site Scripting (XSS) vulnerability in WordPress plugin NextGen Gallery

**Proof of concept: (POC)**

Visit the following page on a site with this plugin installed. http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=powerpress/powerpressadmin\_basic.php and modify the value of tab variable with "></script><script>alert(document.cookie);</script> payload and send the request to the server.

Now, the added XSS payload will be echoed back from the server without validating the input. It also affects wp-config.php file, $table\_prefix and corrupts the database connectivity.

**Note:** XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to wp-config.php file.

_**define( 'DISALLOW\_UNFILTERED\_HTML', true );**_

**Issue 1:**

The Post Request **tab** variable in the URL http://localhost/wordpress/wp-admin/admin.php?page=powerpress/powerpressadmin\_basic.php is vulnerable to Cross Site Scripting (XSS)

**Figure 1:** Invalid HTTP script Request sent to the server through the vulnerable **tab** variable in the URL http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=powerpress/powerpressadmin\_basic.php and its echoed back in the HTTP Response without validation.

**Reproducing Steps**

1.  Logon into any wordpress application (localhost or public host)
2.  Modifying the value of tab variable in Blubrry PowerPress Version 6.0.4
3.  Fill all the variables with "></script><script>alert(document.cookie);</script> payload and send the request to the server.
4.  Now, the added XSS payload will be echoed back from the server without validating the input even after wp-config.php file has been configured with XSS filter settings.

**Timeline**

2015-09-04 – Discovered in Blubrry PowerPress Podcasting plugin 6.0.4 version.  
2015-09-04 – Reported to plugins@wordpress.org  
2015-09-07 – Vendor Responded, "Thank you for reporting this plugin. We're looking into it right now."  
2015-09-09 – Fixed in Blubrry PowerPress Podcasting plugin 6.0.5 version.

**Discovered by:**  
Sathish from Cyber Security Works Pvt Ltd

CVE-2015-9410: XSS Vulnerability in Blubrry PowerPress Podcasting plugin Version 6.0.4 · Issue #7 · cybersecurityworks/Disclosed

The colorway theme before 3.4.2 for WordPress has XSS via the contactName parameter.

Yorick Koster, July 2016

**Cross-Site Scripting vulnerability in ColorWay WordPress Theme****Abstract**

Multiple Cross-Site Scripting vulnerabilities were found in the ColorWay WordPress Theme. These issues allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website.

**Contact**

For feedback or questions about this advisory mail us at sumofpwn at securify.nl

**The Summer of Pwnage**

This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.

**OVE ID**

OVE-20160712-0024

**Tested versions**

These issues were successfully tested on ColorWay WordPress Theme version 3.4.1.

**Fix**

This issue is resolved in ColorWay WordPress Theme version 3.4.2.

**Introduction**

Colorway is simple, elegant, responsive WordPress Theme built by InkThemes.com. Multiple Cross-Site Scripting vulnerabilities were found in the ColorWay WordPress Theme. These issues allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website.

**Details**

These issues exists due to the lack of output encoding of user input. An example can be seen in the file _contact.php_. Several POST parameters are using in the output without applying proper encoding.

<form action="<?php the\_permalink(); ?>" id="contactForm" method="post">  
   <ul class="contactform">  
      <li>  
         <label for="contactName"><?php \_e('Name:', 'colorway'); ?></label>  
         <input type="text" name="contactName" id="contactName" value="<?php if (isset($\_POST\['contactName'\])) **echo $\_POST\['contactName'\];** ?>" class="required requiredField" />  
         <?php if ($nameError != '') { ?>  
            <span class="error"> <?php echo $nameError; ?> </span>  
         <?php } ?>  
      </li>  
      <li>  
         <label for="email"><?php \_e('Email', 'colorway'); ?></label>  
         <input type="text" name="email" id="email" value="<?php if (isset($\_POST\['email'\])) **echo $\_POST\['email'\];** ?>" class="required requiredField email" />  
         <?php if ($emailError != '') { ?>  
            <span class="error"> <?php echo $emailError; ?> </span>  
         <?php } ?>  
      </li>  
      <li>  
         <label for="commentsText"><?php \_e('Message:', 'colorway'); ?></label>  
         <textarea name="comments" id="commentsText" rows="20" cols="30" class="required requiredField"><?php  
            if (isset($\_POST\['comments'\])) {  
               if (function\_exists('stripslashes')) {  
                  **echo stripslashes($\_POST\['comments'\]);**  
               } else {  
                  **echo $\_POST\['comments'\];**  
               }  
            }  
         ?>  
         </textarea>  
         <?php if ($commentError != '') { ?>  
            <span class="error"> <?php echo $commentError; ?> </span>  
         <?php } ?>  
      </li>  
      <li>  
         <input type="submit" value="<?php \_e('Send Email', 'colorway'); ?>"/>  
      </li>  
   </ul>  
   <input type="hidden" name="submitted" id="submitted" value="true" />  
</form>

**Proof of concept**

<html>  
   <body>  
      <form action="http://<target>/contact/" method="POST">  
         <input type="hidden" name="contactName" value="&quot;><script>alert(document.cookie);</script>" />  
         <input type="hidden" name="email" value="" />  
         <input type="hidden" name="comments" value="                                                " />  
         <input type="hidden" name="submitted" value="true" />  
         <input type="submit" value="Submit request" />  
      </form>  
   </body>  
</html>

CVE-2016-10961: Summer of Pwnage! July 1-29, Amsterdam.

The Neosense theme before 1.8 for WordPress has qquploader unrestricted file upload.

**Vulnerability**

Neosense is a WordPress theme by dynamicpress.

Neosense theme version 1.7 contains an unrestricted file upload vulnerability.

Version 1.7 (and possibly earlier) includes in its theme directory a copy of the "qquploader" ajax file uploader, which does not verify user authorization. Using this uploader, an attacker can upload any file to the site. The uploaded file is placed in the wp-content/uploads/YYYY/mm directory, which is normally writable.

The vulnerability can be used to achieve remote code execution by uploading a PHP script with extension .php or .phtml.

**Fix**

The vulnerability was fixed in Neosense theme 1.8 by switching to WordPress core functions for file uploads.

**Timeline**

*   12 Aug: Vulnerability submitted to dynamicpress
*   16 Aug: Response by dynamicpress
*   29 Aug: Neosense theme 1.8 released by dynamicpress
*   19 Sep: Vulnerability published

**Credits**

The vulnerability was found by Walter Hop, Slik BV, The Netherlands.

Tag

#wordpress