Time spent: 7 hours spent in total

Objective: Find, analyze, recreate, and document five vulnerabilities affecting an old version of WordPress

1. (Required) Unauthenticated Stored Cross-Site Scripting (XSS)

• Summary:
  • Vulnerability types: XSS
  • Tested in version: 4.2
  • Fixed in version: 4.2.1
• GIF Walkthrough:
• Steps to recreate:
  1. Post the following text to a comment: Link 1
  2. When an admin sees/approves the comment, then the code is executed.
• Affected source code:
  • Link 1
  • Link 2
  • Link 3
  • Link 4

2. (Required) Authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds.

• Summary:
  • Vulnerability types: CSRF
  • Tested in version: 4.2
  • Fixed in version: 4.7.3
• GIF Walkthrough:
• Steps to recreate:
  1. As an Author/Contributor, post this YouTube embed snippet:

  [embed src='https://www.youtube.com/embed/dQw4w9WgXcQ\x3csvg onload=alert(document.cookie)\x3e'][/embed]
  

• Affected source code:
  • Link 1
  • Link 2
  • Link 3

3. (Required) Authenticated Cross-Site Scripting (XSS) via Media File Metadata

• Summary:
  • Vulnerability types: XSS
  • Tested in version: 4.2
  • Fixed in version: 4.2.13
• GIF Walkthrough:
• Steps to recreate:
  1. Upload a media file and add a code snippet like this to the file name:

  <img src=a onClick=alert(document.cookie)>
  

  2. Upload as an attachment and post it.
  3. NOTE: You need higher posting permissions to upload pictures
• Affected source code:
  • Link 1

4. (Optional) Vulnerability Name or ID

• Summary:
  • Vulnerability types:
  • Tested in version:
  • Fixed in version:
• GIF Walkthrough:
• Steps to recreate:
• Affected source code:

5. (Optional) Vulnerability Name or ID

• Summary:
  • Vulnerability types:
  • Tested in version:
  • Fixed in version:
• GIF Walkthrough:
• Steps to recreate:
• Affected source code:

List any additional assets, such as scripts or files

• XSS Comment
• Pusheen

• WordPress Source Browser
• WordPress Developer Reference

GIFs created with LiceCap.

1. The command root@kali:~# wpscan --url http://wpdistillery.vm --random-agent returned Scan Aborted: invalid option: --random-agent
2. Windows does not allow some special characters in file names such as /, |, (, ) etc.

Copyright [2018] [Chris Panican]

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.