Researcher releases WordPress CSP bypass hack

John Leyden Jun 01, 2022 at 16:40 UTC

Updated: June 01, 2022 at 17:00 UTC

The technique bypasses web security checks

A security researcher has discovered an interesting, albeit partially developed, technique for bypassing CSP (Content Security Policy) checks using WordPress.

The hack, discovered by a security researcher Paulos Yibelois based on the abuse of execution of the method of the same origin.

This technique uses JSON padding to call a function. It’s the kind of thing that could allow a WordPress account to be compromised but only with the addition of a cross-site scripting (XSS) exploit, which the researcher doesn’t yet have.

Keep up to date with the latest security news related to WordPress

Yibelo said The daily sip that they didn’t go so far as to attempt the trick on live sites, limiting the exploits to a test search site they owned themselves.

“I haven’t really tried it because it requires a logged in WordPress user or admin to visit my website, so I install the plugin and have an HTML injection – which is illegal,” Yibelo explained, adding that they hadn’t tried. to exploit the bug in the wild on bug bounty sites either.

The researcher added that he reported it to WordPress three months ago via HackerOne. After failing to get a response, Yibelo went public with the findings through a technical blog post.

Endgame final

Attacks are potentially possible in two scenarios: 1) websites that do not use WordPress directly but have a WordPress endpoint on the same domain or subdomain, and 2) a WordPress-hosted website with a CSP header.

The potential impact is severe, as Yibelo’s blog post explains:

If an attacker finds an HTML injection vulnerability in the main domain (ex: site – not WordPress,) using this vulnerability, they can use a WordPress endpoint to upgrade an unnecessary HTML injection to an XSS complete which can be increased to carry out [remote code execution] CRE. This means that WordPress anywhere on the site defeats the purpose of having a secure CSP.

The daily sip invited the core WordPress development team to comment on the research. No response yet, but we’ll update this story as we hear more.

Yibelo concluded, “I hope WordPress fixes it so that CSP remains relevant on sites that host a WordPress endpoint.”

Content Security Policy is a technology set by websites and used by browsers that can block external resources and prevent XSS attacks.

YOU MAY ALSO LIKE Jupiter WordPress Theme Fixes Critical Security Vulnerability

Comments are closed.