A safety researcher has shared two CSP bypass situations affecting WordPress web sites. Each strategies contain exploiting the Similar Origin Technique Execution (SOME) methods and might enable distant code execution assaults. Apparently, no patch exists for the bypass till scripting this story.
WordPress CSP Bypass Disclosed
Sharing the main points in a weblog put up, the researcher Paulos Yibelo from Octagon Networks revealed how he may bypass Content material Safety Coverage (CSP) on WordPress websites. An adversary may exploit the found technique to wage totally different assaults, reminiscent of clickjacking, cross-site scripting (XSS), and code injection.
Describing the influence of the vulnerability, the researcher acknowledged,
If an attacker finds an HTML injection vulnerability inside the primary area (ex: website1.com – not WordPress,) utilizing this vulnerability, they will use a WordPress endpoint to improve a ineffective HTML Injection to a full blown XSS that may be escalated to carry out RCE. This implies having WordPress anyplace on the location defeats the aim of getting a safe CSP.
This exploit threatens the safety of internet sites that both run on WordPress or use a WordPress endpoint. Whereas the previous is comparatively unusual, the latter – that’s, utilizing WP endpoints on the area or subdomain – is sort of frequent for web sites. Whereas, for WordPress-hosted web sites, the menace relies on whether or not the location admins have added a customized CSP header since WordPress doesn’t ship with CSP.
The researcher examined the exploit in opposition to his personal web site (https://octagon.internet/), which solely makes use of a WordPress endpoint for running a blog. Nonetheless, the researcher may carry out the assault, demonstrating that an adversary may also set off the exploit in opposition to any goal web site upon discovering a susceptible endpoint. Conducting such assaults entails abusing the Similar Origin Technique Execution (SOME).
Yibelo has shared the technical particulars in his put up alongside the next video demonstrating the assault in real-time.
The researcher first reported the vulnerability to WordPress officers. However he went forward to reveal it publicly after receiving no response.
Tell us your ideas within the feedback.