Stored XSS in SyntaxHighlighter Evolved Plugin

Stored XSS Patched in SyntaxHighlighter Evolved Plugin

Description: Stored XSS
CVSS Severity Score: 6.1 (Medium)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Software: SyntaxHighlighter Evolved
Plugin Slug: syntaxhighlighter
Affected Version: 3.5.0
Patched Version: 3.5.1

While doing a security audit of the plugins and themes we run on wordfence.com, I discovered a stored XSS vulnerability in SyntaxHighlighter Evolved. SyntaxHighlighter Evolved currently has around 40,000+ active installations. We use SyntaxHighlighter here at Wordfence for code samples within blog posts.

SyntaxHighlighter will, by default, create links for URLs within the shortcode body. The URL regex is loose enough where a javascript:// psuedo-protocol can be used to execute JavaScript when clicked. SyntaxHighlighter will process shortcodes in post comments, so an unauthenticated user can submit shortcodes containing an XSS payload. The XSS payload is then rendered within the comments section of the post, and the comments moderation page in WP Admin.

Proof of Concept:

[code]javascript://%0dalert%28document.cookie%29[/code]

This creates a link with the javascript: pseudo-protocol that can be used to execute arbitrary JavaScript when clicked. The vulnerability is actually with the regular expression used to match and auto-link URLs within the code block:

/<\w+:\/\/[\w-.\/?%&=@:;]*>|\w+:\/\/[\w-.\/?%&=@:;]*/g

The \w+ character class part of \w+:\/\/ is too loose and will create links with javascript:, data:, etc. The stored XSS payload when submitted through comments will be rendered in both the comments section of a post, and within the comments moderation section of the WordPress admin panel.

*.wordpress.com Sites Also Affected

I noticed Automattic listed as a contributor to SyntaxHighlighter. I decided to see if SyntaxHighlighter was one of the plugins covered under Automattic’s bug bounty program. It wasn’t in the list, so I checked to see if they were using SyntaxHighlighter on wordpress.com. They do, in fact, use it to render code blocks within comments for sites hosted with wordpress.com.

I submitted the vulnerability report to Automattic through HackerOne. Automattic triaged the report and deployed a fix to wordpress.com within 2 hours of the initial report. Version 3.5.1 of SyntaxHighlighter was released 4 days following the initial report. Automattic awarded a $300 bounty with a $50 bonus for the report.

Bounty Donated to OHSU in Memory of Alex Mills

The original developer of SyntaxHighlighter was a WordPress developer named Alex Mills. Sadly, he passed away earlier this year from leukemia. He worked for Automattic and was quite a prolific member of the WordPress community.

I decided to donate the bounty from Automattic to Oregon Health and Science University (OHSU) in memory of Alex Mills. OHSU played a key role in Alex’s care when undergoing treatment. You can read more about OHSU and about Alex on his blog.

Disclosure Timeline

  • October 4th, 2019 10:16am EDT – Vulnerability report sent to Automattic via HackerOne.
  • October 4th, 2019 12:05pm EDT – Automattic deploys fix to *.wordpress.com sites.
  • October 8th, 2019 – Automattic releases version 3.5.1 of SyntaxHighlighter.
  • October 9th, 2019 – Bounty awarded by Automattic and donated to OHSU.
  • October 21st, 2019 – Report (#707720) disclosed on HackerOne.

Conclusion

SyntaxHighlighter Evolved <= 3.5.0 contains a stored XSS vulnerability via specially crafted comments. The vulnerability was fixed in 3.5.1, and it is recommended that you update as soon as possible. This vulnerability is covered by our generic XSS firewall rule, so Wordfence users have been protected from this vulnerability all along.

Did you enjoy this post? Share it!

Comments

6 Comments
  • Hi guys!

    "This vulnerability is covered by our generic XSS firewall rule" Does this also refer to the free version of Wordfence in the WordPress repository?

    Fortunately I have already updated the plugins before knowing this message.

    Greetings! Great job! :)

    • Hi Joan, Yes, the free version of Wordfence contains the generic XSS rule that will protect your site from this and many other XSS vulnerabilities.

  • I sent you a email yesterday and today i will use comments. for last week or so i try to share on facebook but I keep getting Sorry something went wrong. What is doing that?.

    • Hi Dale, this has been fixed. You should be able to share on Facebook.

  • It is a blessing to have a free version of this plugin to protect small websites form such vulnerabilities

  • It's the first plugin vulnerability article that makes me cry. ç.ç
    Thanks for the support and hard work!