Wordpress Security

Low Severity | WordPress <= 4.6.1 Stored XSS Via Theme File

Initial report has been shared with security@wordpress.org at 8 Sep 2016 (a month ago) and haven’t received any response from WP team.

Technical Details

Vulnerable code is located at /wp-admin/includes/class-theme-installer-skin.php

Lines between 68 – 81 wordpress-xss

There is a $name parameter used at the inside of HTML content.

Here is the definition of $name variable. It takes information from theme. From an attacker perspective, there is a possibility to put payload into that html piece.

Technical Details

1 – Download a theme file. You can choose whatever you want (https://downloads.wordpress.org/theme/illdy.1.0.29.zip)

2 – Extract the theme

3 – Open illdy/style.css file and perform following changes

4 – Change directory name.

5 – Compress the theme folder.

5 – Login into your wordpress with administrator credentials.

6 – Go theme upload module http://LOCALHOST/wp-admin/theme-install.php

7 – Choose theme.zip

8 – Final.


Attack Scenario

1 – Attacker uploads a theme as a zip file.

2 – Webmaster who just want to download a theme and then upload, takes a theme file.

3 – And upload it without verify content of zip file.


You can not use xss payload as a folder name in Windows. Thus, this issue affects only WordPress instances that deployed on Linux.

Trigging the issue requires a theme upload.

Thus I believe this issue should be marked as a Low level.

  • Abood Nour

    Congrats on your finding! However, XSS is the least to worry about when uploading themes from untrusted sources.

    • Exactly, that is the reason why I said “low severity” :-) but there is a still a way to take an advantage of this vulnerability. You can still use this If you not want to trigger any kind of IPS or host based IDS system with php backdoors etc.

      • Abood Nour

        I know I just couldn’t think of a scenario where attacker who can have control over the system would think of using this vulnerability in actual attack scenario. IPS/IDS can detect malicious XSS payloads while it can be evaded by innocent looking backdoors. There are no rules here 😄
        Congratulations again on the finding, you can do more 😉