Sauron [Reflected XSS]


Theme Sauron is vulnerable to Reflected XSS attack because it doesn’t properly escapes search string before outputting results in live search.

This themes uses a live search implementation which outputs the contents of the search input to a popup window under the live search field. By passing a malicious search string it is possible to execute arbitrary JS code to victims browser.

Additionally because the search string is directly passed to WP_Query an attacker can manipulate the query to the database, queering private posts, other post types etc.

Vulnerable code:

public static function live_posts_search(){
  global $wdwt_front, 
  $count = 4;
  $date_enable =  $wdwt_front->get_param('date_enable');
  $grab_image = $wdwt_front->get_param('grab_image');
  $wp_query = new WP_Query('posts_per_page='.$count.'&s='.$s.'&order=DESC'); 
  <ul id="live_search">
  while ($wp_query->have_posts() ) : $wp_query->the_post();
  $date = new DateTime($post->post_date);
  $date_result = $date->format('M d, Y');
  $tumb_id = get_post_thumbnail_id( $post->ID );

  if( $thumb_url ) {
    $thumb_url = $thumb_url[0];
  else {
    $thumb_url = self::catch_that_image();
    $thumb_url = $thumb_url['src'];
  $background_image = $thumb_url;
      <?php if(has_post_thumbnail() || $grab_image){ ?>
      <div class="img_div">
        <img src="<?php echo $background_image; ?>" />
      <?php } ?>
      <div class="desc_div">
        <a href='<?php echo $post->guid; ?>' target='_blank'><span><?php the_title(); ?></span></a>
        <?php if($date_enable){ ?>
        <p class="post-meta">
          <span class="post-meta-author"><i class="fa fa-user"></i> <?php echo get_the_author(); ?></span></br>
          <span class="tie-date"><i class="fa fa-clock-o"></i><?php echo $date_result; ?></span>
        <?php } ?>
  <?php endwhile; ?>
    <li class="live-search_more"><a href='<?php echo get_option( "home", get_site_url()).'?s='.$s; ?>'>View All Results</a></li>
  <?php }
  else{ ?>
    <li class="live-search_more"><a href='<?php echo get_option( "home", get_site_url()).'?s='.$s; ?>'>Nothing was found.</a></li>
  <?php } ?>


' onclick=alert(/XSS/)>
'><a href=> Click me!<!--