WordPress has released my.WordPress.net, a browser-based WordPress environment that runs entirely client-side without requiring hosting, signup, or configuration. It emphasizes privacy, local data storage, and personal workspace functionality with pre-configured apps for personal CRM, RSS reading, and AI-assisted knowledge management.
Demonstrates stealing authentication tokens stored in browser local storage via stored XSS on an admin account, using an img onerror payload to exfiltrate data to an attacker server. The researcher found this vulnerability on a Bugcrowd private program and was awarded $800.
A reflected XSS vulnerability in a URL parameter was chained with multiple design flaws (tokens stored in localStorage, lack of token revocation across devices, authorization via headers instead of cookies) to achieve persistent account takeover by stealing and replaying Cognito refresh tokens. The attacker could silently exfiltrate authentication tokens while clearing localStorage to make the victim believe they were logged out.
A researcher chained a stored XSS vulnerability in a mindmap feature with JWT token theft from localStorage and an unauthenticated email-change endpoint to achieve full account takeover. The critical challenge was properly escaping JSON payloads nested within JavaScript code inside an SVG onload handler, which was ultimately solved using eval() to convert single-quoted JSON to double-quoted JSON.