Skip to content

Instantly share code, notes, and snippets.

@sybrew

sybrew/email.txt Secret

Created Dec 19, 2019
Embed
What would you like to do?
Email to w.org about Donorbox
Hello W.org Plugin Team!
Plugin:
https://wordpress.org/plugins/donorbox-donation-form/
Vulnerability:
Stored XSS via the shortcode by creating arbitrary attributes. It only requires privileges to store shortcodes. When shortcodes are running in comments, unauthorized visitors can craft the payload.
When XSS protection is enabled on the server, this has no effect.
Vulnerable line: https://plugins.trac.wordpress.org/browser/donorbox-donation-form/trunk/donorbox_embed_campaign.php#L153
PoC snippet:
[donate url='/\?\" autofocus onfocus=\"alert(window)\" abitraryAttributeToValidateShortcodeParsing=\"']
onLoad may or may not work, because there’s a script that the plugin outputs which overrides that attribute. ‘onfocus=’ combined with ‘autofocus’ seems to do the trick ;)
Solution:
Before $campaign_id is echo’d, run this:
$campaign_id = esc_attr( $campaign_id );
Kind regards,
Sybre Waaijer
@sybrew

This comment has been minimized.

Copy link
Owner Author

@sybrew sybrew commented Dec 19, 2019

Once the plugin's vulnerability is addressed (i.e., plugin is updated to 7.1.2), the exploited shortcode will no longer be effective.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.