I am trying to reproduce the WordPress vulnerability WordPress < 6.5.5 – Contributor+ Stored XSS in Template-Part Block.
The WPScan report description mentions that WordPress does not properly escape the “tagName” attribute in the “Template Part block,” allowing high-privileged users to perform Stored Cross-Site Scripting (XSS) attacks.
The proof of concept states that to reproduce this vulnerability, as a contributor, you should:
Add a "Template Part" block to a post.
Click "Start Blank" and then "Create."
Go into Editor mode and add the following to the wp:template-part block:
"tagName":"img src=x onerror=alert(1) title=x"
I have a WordPress site running version 6.5.3, which is vulnerable. I am using the Twenty Twenty-Four theme, and as a contributor, I created a new post. However, in the block editor, I can’t find the “Template Part” option. That feature only appears in the site-editor.php, which is accessible only by administrators.
I am confused because the WPScan report says contributors can execute this vulnerability. Could you clarify how to reproduce the PoC under these conditions?
References:
https://wpscan.com/vulnerability/7c448f6d-4531-4757-bff0-be9e3220bbbb/
I tried reproducing the vulnerability by adding a “Template Part” block as a contributor on a WordPress site version 6.5.3 with the Twenty Twenty-Four theme. I expected to find the “Template Part” block in the block editor as described in the PoC.