This bug only works with specific browsers out of the box. It is reproducible in Microsoft Edge as well as older browsers that lack XSS protection. However, it is exploitable in other browsers if a bypass is found in that XSS protection. Unfortunately, this happens more often than one would hope.
Is Reflective XSS relevant with modern browsers?
Most modern browsers have built-in XSS protection. Chrome has the Chrome XSS Auditor, but this was disabled on August 2019 and is being removed entirely in Chrome 78 due to a number of bypasses and security holes.1 It is being replaced by the Trusted Types API. Microsoft Edge disabled their XSS Filter in 20182. Firefox does not have an XSS auditor.
Even if most modern browsers block the attack there have been numerous bypasses in these filters over time and more are likely to be found. Because of this it is best to ensure your code is safe rather than relying on others to make it safe for your users.
Example Vulnerable URLs
Why This Happens
hreflang tags to give hints to search engines about what language is used on the page.
When outputting the
hreflang tags Weglot was not sanitizing the URL. This means the plugin was using the URL directly. In our exploit’s case
"> would close the
hreflang tag and we could add our own code such as
<script>alert("xss");</script> from the url.
The final output that the browser would render from our vulnerable URLs would be:
<link rel="alternate" href="https://example.com?s="><script>alert(1);</script> "hreflang="en"/> <link rel="alternate" href="https://example.com/fr/?s="><script>alert(1);</script>" hreflang="fr"/>
Because we closed the
link tag our
<script> tag is output and able to run. This causes an alert popup to display in the user’s browser. This same bug affects the creation of the language switcher button displayed in the bottom corner of the site.
The fix for this issue is to escape output when creating the
hreflang tags and the language switcher button per the WordPress guidelines on handling user input.
This bug can be found in
The Weglot team added
esc_html before outputting their final HTML. This converts any special charcters such as < and / into their HTML counterparts. It was fixed in this commit: https://github.com/weglot/translate-wordpress/commit/5aef8ad78fffaa52b1747ed560f9ba830d11b225
|2019-11-27||Vulnerability reported to Weglot.|
|2019-11-28||Weglot acknowledges the report and verifies the vulnerability.|
|2019-12-03||Weglot states the issue was with the API not escaping the script and the issue is resolved|
|2019-12-03||I contact Weglot stating the vulnerability is still active.|
|2019-12-04||Weglot acknowledges vulnerability is still active and shared patch with me to verify.|
|2019-12-12||Weglot patch is available in the WordPress plugin repository|