Authenticated Stored XSS

[ghost]

Hi, There Authenticated Stored XSS in version 2.70. Detailed information is included below.

File: wp-content/plugins/wp-polls/polls-add.php Parameter: pollq_question, polla_answers[] Payload: <svg onload="alert(/1/)" Vuln Type: Authenticated Stored XSS

http://i.imgur.com/1wrETXW.png?1

http://i.imgur.com/ddh3QeK.png?1

[lesterchan]

I replied to this on my email before.

I will not consider that an actual XSS.

That is by design.

Only admin have access to add poll and they can add any HTML inside the poll fields.

Just like you can have alert(1) within the WP post text field as well.

You can check out the code here https://github.com/lesterchan/wp-polls/blob/master/wp-polls.php#L1802-L1805 that assigns manage_polls to admin only

[ghost]

Hi,

Don't admit your mistake. sanitize, filtering can be applied. If you have a situation like that, that is caused by the theme developer. The end user can never be trusted.
Unreasonable to put HTML into the fields except the description field.

https://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data

[lesterchan]

I have users who requires HTML in the polls question and answers fields and hence the inclusion of HTML,

Of course I can use kses to filter it out, probably can take a look at it when I am free. But having said that, it is XSS if you consider putting alert(1) inside the textarea of the post as XSS.

[lesterchan]

I have fixed it and wrap it with wp_kses_post(). You can try the dev version which is 2.71.

[espellcaste]

@lesterchan Your point is that if someone, a hacker maybe, can add something on the backend, then the person hacked has bigger problems, right?!

I got your point.

[ghost]

@lesterchan thanks.