Greetings Everyone from Thrakion,
Today, I would like to inform you about the “HTML Injection” vulnerability that I discovered on the Wordpress-based application.
1. I was informed by our project manager that I will conduct tests on “private.com”.
2. As always, I first reviewed the scope form and then began the necessary security testing steps.
3. I have detected various vulnerabilities, but the most motivating one of them is the html injection vulnerability that I was on in the “/hello-world/” directory, which is generally used by wordpress developers for testing purposes but was forgotten to be removed later.
So what is this “/hello-world” directory?
It is a directory created automatically during Wordpress installation, and there is usually a form field where you can add comments for testing purposes. However, the problem here is that vulnerabilities such as html injection are possible due to the lack of sufficient input control rules on the relevant form.
4. After a small directory discovery on the private.com application, I was able to discover the “https://private.com/hello-world" address.
5. I added a simple html title tag to the input points in the form field and pressed the submit comment button.
6. And Bingo! The html tag that I added to the input points was interpreted by the application and we were able to detect the html injection vulnerability.
It is unfortunately much more difficult to detect vulnerabilities on the Wordpress core than before, but various directories and files are created by default during the installation of wordpress-based applications, and it should be noted that it is possible to detect various vulnerabilities as a result of detecting these arguments and examining them from a security point of view.