WordPress REST API <= v5.6 is affected by UFU Vulnerability which allows Cross-Site Scriting (XSS) stored.
File Upload Vulnerability, Cross-Site Scripting (XSS) Vulnerability
WordPress is a free and open-source blogging software and content management system (CMS) based on PHP and MySQL. Since version 4.7.0, WordPress has integrated the REST API plugin into its default functionality. The REST API provides users with a convenient and quick management interface.
WordPress REST API versions up to and including 5.6 have a file upload vulnerability. Attackers can exploit this vulnerability via the Media API interface to upload malicious files containing arbitrary JavaScript scripts, thereby carrying out cross-site scripting (XSS) attacks.
Attackers can use this vulnerability to execute arbitrary JavaScript code in the victim's browser. If the victim has high privileges (such as Administrator), the attacker can create a super administrator account, take over the backend management system. What's more, the attacker could remotely control the web server, and execute arbitrary code.
First, modify the file name by changing the file extension to .gzip.
Next, modify the file content by appending 8 bytes of a JPG file header to the end of the original file content.
An attacker with Author privileges can construct an HTTP request and upload the forged malicious HTML file through the Media API.
The forged file, when uploaded, is identified by WordPress as an application/x-gzip type based on its file extension.
During content inspection, it is identified as an unknown type application/octet-stream.
According to WordPress's code logic, the uploaded file is finally recognized as a normal application/x-gzip type file, bypassing the file upload filtering mechanism and successfully uploading it to the server.
The URL of the uploaded file is returned in the response.
Trick the victim into visiting the file via the URL, which will execute the JavaScript script in the victim's browser.
The attacker writes a JavaScript script to create a super administrator (Administrator) account in the uploaded file.
The attacker then exploits this vulnerability to upload the file to the web server.
Once a victim with Administrator privileges visits the file via the URL, the script will execute in their browser, using the victim's authentication information to request the creation of a new administrator account.
The attacker logs in using the newly created Administrator account, successfully taking over the backend system.
The attacker can modify existing PHP files in the backend to include a web shell.
This allows the attacker to control the web server and remotely execute arbitrary PHP code.
Successfully Execute System Commands!