Cross-Site Scripting (XSS) in GistPress WordPress Plugin – Technical findings
Cross-Site Scripting (XSS) is a vulnerability resulting from the lack of or inadequate sanitisation carried out on user supplied data that is then later rendered back to a user.
The shortcode function of gistpress version 3.0.1 was vulnerable to XSS. This was due to insecure handling of the “id” value of the shortcode ultimately allowing an attacker to request unanticipated URLs.
To replicate the finding please follow these steps:
1. Go to https://gist.github.com
2. Create a new file called “anything.json” with the contents like the example as shown below and save it:
Also note: The filename must end in “.json” because gistpress automatically appends “.json” before requesting the file.
3. Once saved that file was accessible from the gist URL shown below:
4. Obtain the “raw” link to that content using the button as shown below:
Figure 1 – Raw button shown on gist UI
5. This gave a URL like the one shown below:
6. Create a new blog post and add a shortcode similar to the one shown below:
Note: this used the URL to the raw version of the file saved on gist but with the “.json” part omitted.
Figure 2 – XSS Confirmed
Risk Category: High
CVSSv3.1 Score: 5.8 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C)
Explanation: XSS can pose a significant risk. Due to the likely use for privilege escalation in WordPress the risk categorisation of “high” was believed to be appropriate.
In this case the solution is to add input validation to prevent invalid gist “id” values. There is an expected format for these ids. An example id is shown below:
The intended value contained only characters in the 0-9 and a-f character sets. Additionally, the length of the id was 32 characters long.
Gistpress should be updated to validate the “id” value matching that standard before attempting to download content. This would prevent the vulnerability.
The gistpress project lead responded positively to the disclosure and patched the project as per this update.
The key part of the update is illustrated in Figure 3:
Figure 3 – Validation Added
The patch worked by using “preg_replace” to remove any non-alphanumeric characters from the “id” parameter value.
Advise was provided stating that data sanitisation is not the most secure approach. The preferred solution should halt processing of the request if the “id” format is invalid. However, the XSS attack appeared adequately mitigated because the payload relied on the presence of the forward slash (“/”) character.
The vulnerability had been mitigated by version 3.0.2 of gistpress.
The affected item was:
- Gistpress shortcode handling of the “id” parameter.
- In version 3.0.1 and lower