Uncovering a Stored XSS Vulnerability in WordPress.com via Crowdsignal | Bug Bounty

 


Hey Security Enthusiasts!

I'm System.Exit, and today we're delving into a recent bug bounty discovery involving a Stored Cross-Site Scripting (XSS) vulnerability on WordPress.com through the Crowdsignal application. Join me as we explore the details of this vulnerability and the steps taken to exploit it.

What is Stored XSS?

Before we dive in, let's briefly understand Stored XSS. In web applications, Stored XSS occurs when an attacker injects malicious scripts into a website that gets stored and subsequently executed in the context of a user's browser. This often involves input fields where user data is stored and rendered without proper sanitization.

Summary:

A researcher identified a Stored XSS vulnerability on WordPress.com via app.crowdsignal.com. The vulnerability was found in the process of creating and sharing polls, which allowed an attacker to inject malicious scripts that could be executed in the context of a victim's browser.

Steps to Reproduce:

  1. Log in and Create a Poll:

  2. Inject Malicious Payload:

    • Enter the following payload as an answer: style="position:fixed;top:0;left:0;border:999em solid green;" onmouseover="alert(document.cookie)"

  3. Share the Poll:

    • Go to "Share Your Poll" and copy the link provided.

  4. Create a Post on WordPress:

    • Navigate to WordPress Posts and add a new post.
    • Include the copied link in the post and save it.

  5. Trigger the XSS:

    • Open the page and click on "View Results."
    • The XSS vulnerability will be triggered, displaying an alert with the document's cookies.

The Request:


 The Response:


 

Impact:

The Stored XSS vulnerability allowed attackers to bypass proper input sanitization. This could potentially lead to various malicious activities, including the execution of scripts in the victim's browser, stealing cookies, or redirecting users to malicious sites.

Response from WordPress:

  • Disclosure Date: June 26, 2023, 3:49pm UTC
  • Severity: Medium (4 ~ 6.9)
  • Bug Status: Fixed

While there was no bounty reward for this specific discovery, the vulnerability was reported and fixed, highlighting the importance of responsible disclosure and continuous security improvements.

Final Thoughts:

Certainly, @Sy963 (riadalrashed)! It's fantastic to hear that an initial remediation is in place, and the steps for reproduction are no longer functional. Your dedication to security research and responsible disclosure is commendable.
 

It's fantastic to see the vulnerability addressed promptly, ensuring a safer experience for users. Your dedication to security research and responsible disclosure is commendable. A big shoutout to all the readers for their support and engagement. Your interest in cybersecurity and bug bounty adventures is what makes our community thrive. Together, we contribute to a safer digital landscape.

Thank you for being part of this journey, and stay tuned for more exciting discoveries and insights. Your ongoing support is genuinely appreciated!

Happy hacking! 🎉🔐

Comments

Post a Comment

Popular Posts