Reflected XSS via rp4wp_parent in barrykooij/related-posts-for-wp

Valid

Reported on

Sep 20th 2022


Description

The rp4wp_parent value is echoed without encoding, leading to reflected XSS.

Proof of Concept

Install wordpress, install the "Related Posts for WordPress" plugin, then visit the following URL, where localhost is the server hosting the app:

http://localhost/wordpress/wp-admin/admin.php?page=rp4wp_link_related&rp4wp_parent=156x%27%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E

Impact

With a successful attack, an attacker can access all data the attacked user has access to, as well as perform arbitrary requests in the name of the attacked user.

In the case of a default wordpress installation, the attacker could eg add a new admin user and gain RCE via the plugin/theme editor.

Occurrences

Value is read from $_GET['rp4wp_parent'];, stored in $parent, passed to $cancel_url and then echoed without encoding.

We are processing your report and will contact the barrykooij/related-posts-for-wp team within 24 hours. 2 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
We have contacted a member of the barrykooij/related-posts-for-wp team and are waiting to hear back 2 months ago
Barry Kooij validated this vulnerability 2 months ago
foobar7 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Barry Kooij
2 months ago

Maintainer


Thank you for your report, I will fix this over the weekend!

Barry Kooij marked this as fixed in 2.1.2 with commit 269e0a 2 months ago
Barry Kooij has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation