WordPress version 4.5.3 Audio Playlist suffers from a cross site scripting vulnerability.
03337762b5f9e7ec64dbec0de777fb10------------------------------------------------------------------------
WordPress audio playlist functionality is affected by Cross-Site
Scripting
------------------------------------------------------------------------
Yorick Koster, July 2016
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Two Cross-Site Scripting vulnerabilities exists in the playlist
functionality of WordPress. These issues can be exploited by convincing
an Editor or Administrator into uploading a malicious MP3 file. Once
uploaded the issues can be triggered by a Contributor or higher using
the playlist shortcode.
------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160717-0003
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on the WordPress version 4.5.3.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
These issues are resolved in WordPress version 4.7.3.
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html
It was discovered that meta information (ID3) stored in audio files are not properly sanitized in case they are uploaded by a user with the unfiltered_html (generally an Editor or Administrator).
The first Cross-Site Scripting vulnerability exists in the function that processes the playlist shortcode, which is done in the wp_playlist_shortcode() method (/wp-includes/media.php). This method creates a <noscript> block for users with JavaScript disabled.
The method wp_get_attachment_link() does not perform any output encoding on the link text. Meta information from the audio file is used in the link text, rendering wp_playlist_shortcode() vulnerable to Cross-Site Scripting.
The second Cross-Site Scripting issue is DOM-based and exists in the JavaScript file /wp-includes/js/mediaelement/wp-playlist.js (or /wp-includes/js/mediaelement/wp-playlist.min.js). The WPPlaylistView object is used to render a audio player client side. The method renderTracks() uses the meta information from the audio file in a call to jQuery's append() method. No output encoding is used on the meta information, resulting in a Cross-Site Scripting vulnerability.
Proof of concept
The following MP3 file can be used to reproduce this issue:
https://securify.nl/advisory/SFY20160742/xss.mp3
1) upload MP3 file to the Media Library (as Editor or Administrator).
2) Insert an Audio Playlist in a Post containing this MP3 (Create Audio Playlist).
------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.