Exploiting Admin Functionality in WordPress Using ClickJacking

hello all

it’s been a while after writing a post and you may know Abysssec  mostly write about application security but we are working on web apps too . in this post we are gonna talk about funny case of wordpress exploitation using ClickJacking technology. as you may know Wordpress Admin panel has x-frame-option which prevent clickjacking but in main page of blog no x-frame-option has been set, so it possible to trick him and make him to post a comment, using Clickjacking. As you may know admin can post comment with html and it is obvious by default this isn’t dangerous, But as blog main page has no x-frame-option it is possible to make XSS of it and finally you can mix ClickJacking /XSS / HTTPOnly Disclosure to make a working exploit.

here is video of  PoC sorry for hosting we have some issue we will upload on abysssec soon  :


WordPress is aware of unfiltered html with superadmin user but as you can see it’s still possible to exploit the issue .

we reported this so called issue to wordpress ~2 month ago

the answer we got is :

Thank you for the report. We're looking into this and will get back to you soon.
Sorry for the delayed reply. We've been discussing how best to do this without inconveniencing users.  At the moment we're considering adding the unfiltered_html nonce via JS when the page is not framed. I'll hopefully have a patch to share soon.

Thanks all

happy blogging !

Comments are closed.


Get Adobe Flash player