Sunday, December 06, 2020

[CVE-2019-17674 & CVE-2020-11025] Stored XSS through navigation menu item edited in Customizer in Wordpress (Write Up)


This is going to be a short write up about one of the security vulnerabilities issued by WordPress on their security patch release [CVE-2019-17674 & CVE-2020-11025].

I reported this issue way back March 30, 2018 thru their bug bounty program on HackerOne.

This issue was due to a vulnerable feature of WordPress which is the Navigation Menu. In the Menu there is a input box for Social Media links which may allow any site owner to input their Social Media profile links. The previous version of WordPress didn't sanitize any HTML Code for the link input which makes the feature vulnerable to Cross Site Scripting.

When a user adds a Cross Site Scripting payload in the Social Media input and publish the edited page, the payload will trigger on the home page of the owner's WordPress site.

In my test, I published a live demo of the vulnerability which you can check here

Again, this issue was already fixed by WordPress.

--Proof of Concept--
  1. go to<name>
  2. click the "Menus" tab in the left side
  3. click "Social Media"
  4. choose any tab from "Facebook, Linkedin, Twitter and Instagram"
  5. after you choose a tab, input xss payload in the "Navigation Label"
  6. click Publish
  7. go to domain and see the result.
Result: Stored XSS


Report Title: Stored XSS through nav menu item edited in Customizer
Reported: 2018-03-30 08:11:34 +0000
Patch Release: October 14, 2019
Reward: $600

Press Release of the issue

I hope you enjoy this write up, have a great day y'all!

"We may encounter many defeats but we must not be defeated."
-Maya Angelou