WordPress RSS and Atom Feed Escaping

OWASP 2013-A3 OWASP 2017-A7 CWE-79 WASC-08

RSS stands for “Rich Site Summary” and “Really Simple Syndication”. It is used for automated reading and transmitting news. The RSS field in written in XML. To use RSS, the RSS aggregator is used. The Atom Syndication Format is an XML language used for web feeds. It is a simple HTTP-based protocol for creating and updating web resources. The old versions of WordPress(1.5.0-4.9) are vulnerable to feed escape. It does not properly restrict enclosures in RSS and Atom fields. This in turn allowing attackers to conduct Cross-Site Scripting attacks in which malicious scripts can be injected. This cause leakage of cookies, session tokens, or other sensitive information retained by the client. The attributes of the enclosures are not correctly escaped in RSS and Atom feeds. These feeds are present in the wp-includes/feed.php file. This method might allow an attacker to exploit XSS via a crafted URL.

Impact and Fixes

Latest Articles