Reflected XSS via rp4wp_parent in barrykooij/related-posts-for-wp

Valid

Reported on

Sep 20th 2022

Description

The rp4wp_parent value is echoed without encoding, leading to reflected XSS.

Proof of Concept

Install wordpress, install the "Related Posts for WordPress" plugin, then visit the following URL, where localhost is the server hosting the app:

http://localhost/wordpress/wp-admin/admin.php?page=rp4wp_link_related&rp4wp_parent=156x%27%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E

Impact

With a successful attack, an attacker can access all data the attacked user has access to, as well as perform arbitrary requests in the name of the attacked user.

In the case of a default wordpress installation, the attacker could eg add a new admin user and gain RCE via the plugin/theme editor.

Occurrences

class-hook-link-related-screen.php L154-L169

Value is read from $_GET['rp4wp_parent'];, stored in $parent, passed to $cancel_url and then echoed without encoding.

We are processing your report and will contact the barrykooij/related-posts-for-wp team within 24 hours. a year ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

We have contacted a member of the barrykooij/related-posts-for-wp team and are waiting to hear back a year ago

Barry Kooij validated this vulnerability a year ago

foobar7 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Barry Kooij

commented a year ago

Maintainer

Thank you for your report, I will fix this over the weekend!

Barry Kooij marked this as fixed in 2.1.2 with commit 269e0a a year ago

Barry Kooij has been awarded the fix bounty

This vulnerability will not receive a CVE

class-hook-link-related-screen.php#L154-L169 has been validated

to join this conversation