10,000+ WordPress Sites At Risk Due To Stored XSS Vulnerability

WordPress plugin with over 10,000 installations contains a critical unpatched vulnerability. The vulnerability was discovered by Melbin Mathew yesterday and it deserves the attention of those who have installed this plugin on their WordPress sites.

The plugin has XSS(Cross-site Scripting) vulnerability that can easily be exploited by a hacker. Here is how it works.

Colorbox Lightbox plugin allows site admins to implement functionlity in site to allow users to see content in popup. The way it works is anyone writing a post can use the following shortcode with the media URL and hyperlink –

[wp_colorbox_media url="http://www.youtube.com/embed/nmp3Ra3Yj24" type="youtube" hyperlink="Click here"]

So the above shortcode will output the video in a popup which is awesome. But, both of these fields are non-sanitized that means any javascript code inserted within parameters will run in web browser.

[wp_colorbox_media url="http://www.youtube.com/embed/nmp3Ra3Yj24" type="youtube" hyperlink="Click here <script>alert('XSS from hyperlink param')</script>"]
Colorbox Lightbox XSS vulnerability

As you can see in the above image, the script provided in the hyperlink parameter executed in web browser.

The consequences of this would be any visitor can exploit it by using the same shortcode in the comment section. Any comment that shows up with the plugin shortcode will run any javascript code embedded into it.

But for a better chance of making an admin hit it is by writing a post and make him review it. That way, when a logged-in user reviews a post, his/her site cookies can be sent silently to the hacker and then hacker can log in as an admin.

No patch released yet

So far the vulnerability is working on the latest version of plugin. All the 10,000+ websites that have installed this plugin are under huge risk of exposing their sites to hackers.

I also tested this vulnerability with WordFence free firewall, unfortunately the WordFence free version does not protect the site from exploiting this vulnerability. The way WordFence free version works is that they provide security patches to free users after 30 days of discovery. So may be they have provided the patch but that’s not yet available for free users.