Stored XSS in Relevanssi could allow an unauthenticated attacker to do almost anything an admin can do

Score Vector Complexity Authentication Confidentiality Integrity Availability
5.8
Medium
Network Medium None Partial Partial None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Vulnerability

Relevanssi has the option to provide a “did you mean” message which requires adding some code to the theme and enabling the logging of user queries. When printing the “did you mean” message, a stored query is output without proper escaping.

The fact that the queries are stored means that we can evade the XSS prevention measures employed by some browsers.

Proof of concept

  • Delete all posts and pages (or just start from a fresh WordPress installation)
  • Create a blank post called “hello world”
  • Create a blank post called “hello again”
  • Activate Relevanssi
  • Set the current theme to twentyseventeen
  • Follow the instructions by adding <?php if (function_exists('relevanssi_didyoumean')) { relevanssi_didyoumean(get_search_query(), "<p>Did you mean: ", "</p>", 5); }?> to the file search.php after get_header()
  • Enable Relevanssi’s “Keep a log of user queries” option and click “Save options”
  • Press “Build the index”
  • Visit /?s=hel%3Cscript%3E/*%3C*/alert(1)%3C/script%3E
  • Visit the same URL again
  • If your browser doesn’t use XSS mitigation techniques (i.e. Firefox) you will see an alert
  • Then visit /?s=he%3Cscript%3E/*%3C*/alert(2)%3C/script%3E
  • You will see an alert, even if your browser attempts to block XSS (i.e. Chrome)

Mitigation/further actions

Upgrade to version 3.5.8 or later.