Technique skirts web security controls

A security researcher has discovered a neat, albeit partially developed, technique to bypass CSP (Content Security Policy) controls within WordPress environments

A security researcher has discovered a neat, albeit partially developed, technique to bypass CSP (Content Security Policy) controls using WordPress.

The hack, discovered by security researcher Paulos Yibelo, relies on abusing same origin method execution.

This technique uses JSON padding to call a function. That’s the sort of thing that might allow the compromise of a WordPress account but only with the addition of a cross-site scripting (XSS) exploit, which the researcher doesn’t have as yet.


Catch up with the latest WordPress related security news


Yibelo told The Daily Swig that they have not gone as far as attempting the trick on live sites, restricting exploits to a test research site they themselves owned.

“I haven’t really attempted to because it requires a logged in WordPress user or admin to visit my website, so I install the plugin and have a HTML injection – which is illegal to do,” Yibelo explained, adding they hadn’t attempted to exploit the bug in the wild on bug bounty sites either.

The researcher added that they reported it to WordPress three months ago via HackerOne. After failing to get a reply, Yibelo went public with the findings through a technical blog post.

Endpoint endgame

Attacks are potentially possible in two scenarios: 1) websites that don’t use WordPress directly but have an endpoint of WordPress on the same-domain or subdomain, and 2) a website hosted on WordPress with a CSP header.

The potential impact is severe, as Yibelo’s blog post explains:

If an attacker finds an HTML injection vulnerability within the main domain (ex: website1.com – not WordPress,) using this vulnerability, they can use a WordPress endpoint to upgrade a useless HTML Injection to a full blown XSS that can be escalated to perform [remote code execution] RCE. This means having WordPress anywhere on the site defeats the purpose of having a secure CSP.

The Daily Swig invited WordPress’s core development team to comment on the research. No word back, as yet, but we’ll update this story as and when we hear more.

Yibelo concluded: “I hope Wordpress fixes it so CSP stays relevant on sites that host a WordPress endpoint.”

Content Security Policy is a technology set by websites and used by browsers that can block external resources and prevent XSS attacks.


YOU MAY ALSO LIKE WordPress theme Jupiter patches critical security hole