CVE-2012-0287

Vulnerability

The vulnerability is a cross-site scripting (XSS) flaw in WordPress versions 3.3.x prior to 3.3.1, specifically in the wp-comments-post.php file. The issue arises when the "Duplicate comment detected" feature improperly handles the query string during a POST operation when Internet Explorer is used as the browser. The unescaped query string is reflected in the error page, allowing injection of arbitrary HTML and JavaScript [1][2].

Exploitation

An attacker must first post a legitimate comment to a target WordPress site. Then, they craft a malicious HTML page that posts a comment with the same author, email, and comment values as the previous comment, along with the correct comment_post_ID. The form's action URL includes a query string containing the XSS payload: ``. When the victim (using Internet Explorer) submits this form, the server detects a duplicate comment and returns a 500 error page that reflects the payload from the query string, executing the script [1].

Impact

A successful exploit allows the attacker to execute arbitrary JavaScript or HTML in the victim's browser within the context of the vulnerable WordPress site. This can lead to session hijacking, defacement, or theft of sensitive information. The attack requires the victim to use Internet Explorer and to interact with the attacker-controlled form [1].

Mitigation

WordPress 3.3.1, released on January 3, 2012, fixes this vulnerability along with other issues. Users should upgrade to version 3.3.1 or later. No workaround is available if the site cannot be upgraded. This CVE is not listed on the CISA KEV [2].