This issue was successfully tested on WordPress 4.5.3.
WordPress Media Upload functionality is used to upload image, audio, video and other allowed file extensions. The uploaded media types are automatically available to public users via so called public 'Attachment Pages'.
WordPress performs insufficient validation on the file name of uploaded media types and in specific images. The file name of an image is used as image Title (meta) in so called ‘attachment pages’ (HTML). An attacker can exploit this vulnerability by crafting an image file name with Cross-Site Scripting payload and lure an admin into uploading the image with the malicious file name.
Please note that the WordPress admin (victim) needs to use an operating system like for example Mac or Linux. These provide extended file name capabilities necessary for an attacker to be able to successfully use this vulnerability.
For the attack to succeed the following conditions have to be met:
- A WordPress admin uploads a malicious image file requested by a user this admin trusts or a popular malicious image that was spread via social media. This involves social engineering. In the Proof of Concept the file name
cengizhansahinsumofpwn<img src=a onerror=alert(document.cookie)>.jpgwas used.
- An attacker can now determine if the file name with which the malicious file is available on the WordPress site. With this information he can spread the URL to end users and the WordPress admin.
Proof of concept
When an image with a file name such as
cengizhansahinsumofpwn<img src=a onerror=alert(document.cookie)>.jpg is uploaded and viewed within WordPress the script code is executed:
The file name is always equal to the attachment page: