pen testing project for codepath fall 2022
Time spent: 25-30 hours spent in total
Objective: Find, analyze, recreate, and document five vulnerabilities affecting an old version of WordPress
Pen Testing Report
- (Required) Vulnerability Name or ID Cross-site scripting in post title Summary: Vulnerability types: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS) Tested in version: 4.2 Fixed in version: 4.2.6 Steps to recreate: create a new post, put <IFRAME SRC="javascript:alert('XSS');"></IFRAME> into the title of the post, and when you reload the page an alert box will appear. the wpscan vulnerability is just for posts and pages but i found a similar exploit in post titles Affected source code/ references: Link 1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622 https://klikki.fi/adv/wordpress3.html
- (Required) Vulnerability Name or ID cross site scripting in comment Summary: Vulnerability types: WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS) Tested in version: 4.2.0 Fixed in version: 4.2.23 Steps to recreate: logged in as administrator, add a comment that says after you submit it, a button will appear that brings up the 'XSS' pop up alert Affected source code/ resources : Link 1 https://blog.sonarsource.com/wordpress-csrf-to-rce/?redirect=rips https://wpscan.com/vulnerability/d150f43f-6030-4191-98b8-20ae05585936 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9787 https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/
- (Required) Vulnerability Name or ID WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename Summary: Vulnerability types: Tested in version: 4.2.0 Fixed in version: 4.2.10 Steps to recreate: I put xss script into the name of jpeg file that i downloaded then uploaded into a post "". In the post, the image is set to an attachemnt age so when the user clicks on the image it takes them to a separate page where the URL is now the title of the image, running the scipt which in my case shows the user's cookie information. Affected source code: Link 1 summer of pwn link that provided documentation for how to recreate the exploit https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html Assets List any additional assets, such as scripts or files
Resources WordPress Source Browser WordPress Developer Reference GIFs created with ...
Notes Describe any challenges encountered while doing the work
License Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.