A security researcher has shared two CSP bypass scenarios affecting WordPress websites. Both methods involve exploiting the Same Origin Method Execution (SOME) techniques and can allow remote code execution attacks. Apparently, no patch exists for the bypass until writing this story.
WordPress CSP Bypass Disclosed
Sharing the details in a blog post, the researcher Paulos Yibelo from Octagon Networks revealed how he could bypass Content Security Policy (CSP) on WordPress sites. An adversary could exploit the discovered strategy to wage different attacks, such as clickjacking, cross-site scripting (XSS), and code injection.
Describing the impact of the vulnerability, the researcher stated,
If an attacker finds an HTML injection vulnerability within the main domain (ex: website1.com – not WordPress,) using this vulnerability, they can use a WordPress endpoint to upgrade a useless HTML Injection to a full blown XSS that can be escalated to perform RCE. This means having WordPress anywhere on the site defeats the purpose of having a secure CSP.
This exploit threatens the security of websites that either run on WordPress or use a WordPress endpoint. While the former is relatively uncommon, the latter – that is, using WP endpoints on the domain or subdomain – is quite common for websites. Whereas, for WordPress-hosted websites, the threat depends on whether the site admins have added a custom CSP header since WordPress doesn’t ship with CSP.
The researcher tested the exploit against his own website (https://octagon.net/), which only uses a WordPress endpoint for blogging. Still, the researcher could perform the attack, demonstrating that an adversary can also trigger the exploit against any target website upon finding a vulnerable endpoint. Conducting such attacks involves abusing the Same Origin Method Execution (SOME).
Yibelo has shared the technical details in his post alongside the following video demonstrating the attack in real-time.
The researcher first reported the vulnerability to WordPress officials. But he went ahead to disclose it publicly after receiving no response.
Let us know your thoughts in the comments.