FortiGuard Labs Breaking Threat Research
WordPress is the world’s most popular Content Management System (CMS). It has 60.4% of the global CMS market share, which is far higher than the second-place Joomla!, which only has 5.2% of the market share. As a result, over a third of all of the websites on the Internet were built using WordPress.
This stored XSS vulnerability (identified as CVE-2019-16219) affects WordPress versions from 5.0 to 5.0.4, 5.1 and 5.1.1.
In WordPress 5.0, users can add Shortcode blocks to a post. When adding certain HTML encoded characters like “<” to the Shortcode block and then re-opening this post, it shows an error message and previews it by decoding the “<” to “<”.
The XSS filter in this preview can be easily bypassed with the PoC “"><img src=1 onerror=prompt(1)>”.
When any victim views this post, the XSS code will be executed in their browser.
If the victim happens to have admin rights, the criminal could then exploit this vulnerability to gain control of the administrator’s account, leverage the WordPress built-in function to GetShell, then take control of the server.
Once a victim with high permission views this post, the administrator account “attacker” will be created.
The attacker could then modify an existing php file to a webshell and use the webshell to take control of the webserver.
FortiGuard Labs contacted WordPress about this zero-day discovery, and they have issued a patch. All users of vulnerable versions of WordPress are encouraged to upgrade to the latest WordPress version or apply the latest patches immediately.
Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the following signature:
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.