-
-
Save sybrew/833bf49d81bc8246fba8dabf8a3ba12a to your computer and use it in GitHub Desktop.
Email to w.org about Donorbox
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Hello W.org Plugin Team! | |
Plugin: | |
https://wordpress.org/plugins/donorbox-donation-form/ | |
Vulnerability: | |
Stored XSS via the shortcode by creating arbitrary attributes. It only requires privileges to store shortcodes. When shortcodes are running in comments, unauthorized visitors can craft the payload. | |
When XSS protection is enabled on the server, this has no effect. | |
Vulnerable line: https://plugins.trac.wordpress.org/browser/donorbox-donation-form/trunk/donorbox_embed_campaign.php#L153 | |
PoC snippet: | |
[donate url='/\?\" autofocus onfocus=\"alert(window)\" abitraryAttributeToValidateShortcodeParsing=\"'] | |
onLoad may or may not work, because there’s a script that the plugin outputs which overrides that attribute. ‘onfocus=’ combined with ‘autofocus’ seems to do the trick ;) | |
Solution: | |
Before $campaign_id is echo’d, run this: | |
$campaign_id = esc_attr( $campaign_id ); | |
Kind regards, | |
Sybre Waaijer |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Once the plugin's vulnerability is addressed (i.e., plugin is updated to 7.1.2), the exploited shortcode will no longer be effective.